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Preface 



This volume gathers the papers presented at three workshops that are 
embedded in the IFIP/Sec Conference in 2004, to enlighten specific topics 
that are currently particularly active in Security. 

The first one is the 10th IFIP Annual Working Conference on 
Information Security Management. It is organized by the IFIP WG 11.1, 
which is itself dedicated to Information Security Management, i.e., not only 
to the practical implementation of new security technology issued from 
recent research and development, but also and mostly to the improvement of 
security practice in all organizations, from multinational corporations to 
small enterprises. Methods and techniques are developed to increase 
personal awareness and education in security, analyze and manage risks, 
identify security policies, evaluate and certify products, processes and 
systems. Matt Warren, from Deakin University, Australia, who is the current 
Chair of WG 11.1, acted as the Program Chair. 

The second workshop is organized by the IFIP WG 11.8, dedicated to 
Information Security Education. This workshop is a follow-up of three 
issues of the World Conference on Information Security Education (WISE) 
that were also organized by WG 11.8. The first WISE was organized by 
Louise Yngstrom in 1999 in Stockholm, and the next one, WISE' 4, will be 
held in Moscow, Russia, 18-20 May 2005. This year, the workshop is aimed 
at developing a first draft of an international doctorate program allowing a 
specialization in IT Security. The draft will be based upon both selected 
papers from individuals or groups (from academic, military and government 
organizations), and discussions at the workshop. This draft will be further 
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refined and eventually published as an IFIP Report. The Program Committee 
was chaired by Helen Armstrong, from Curtin University, Australia, who is 
also the Chair of the IFIP WG 11.8. 

Finally, the last workshop is the 3rd Working Conference on Privacy and 
Anonymity in Networked and Distributed Systems (I-NetSec04), organized 
by the IFIP WG 11.4 on Network Security. The purpose of the workshop is 
to bring together privacy and anonymity experts from around the world to 
discuss recent advances and new perspectives on these topics, that are 
increasingly important aspects in electronic services, especially in advanced 
distributed applications, such as m-commerce, agent-based systems, P2P, 
etc. The Program Committee was co-chaired by Bart De Decker, from the 
Catholic University of Leuven, Belgium, who is also chairing the IFIP WG 
11.4, and by Els Van Herreweghen, from IBM Research Lab, Zurich, 
Switzerland. 

The carefully selected papers gathered in this volume show the richness 
of the information security domain, as well as the liveliness of the working 
groups cooperating in the IFIP TC-11 on Security and Protection in 
Information Processing Systems. 

Yves Deswarte 

General Chair 
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CORPORATE INFORMATION SECURITY 
EDUCATION: 

Is Outcomes Based Education the Solution? 



Johan Van Niekerk 1 And Rossouw Von Solms 2 

Department of Business Information Systems, Port Elizabeth Technikon ; Department of 
Information Technology, Port Elizabeth Technikon 2 



Abstract: Today’s global economy is increasingly dependent on the creation, 

management, and distribution of information resources. Information and its 
use permeate all aspects of modern society. Most modem organizations need 
information systems to survive and prosper. Information has become a 
valuable commodity and as such needs to be protected. This protection is 
typically implemented in the form of various security controls. In order for 
these controls to be effective, the users in the organization need to be educated 
regarding these controls. Recent studies have indicated that current user 
education programs fail to pay adequate attention to behavioral theories. This 
paper examines the educational principles an information security user 
education program should adhere to. It then introduces outcomes based 
education (OBE) and finally argues that OBE is ideally suited for the needs of 
information security. 

Keywords: Information Security, Information Security Culture, Outcomes Based 

Education, Awareness 



1. INTRODUCTION 

In today’s business world, information is a valuable commodity and as 
such, needs to be protected. Information affects all aspects of today’s 
businesses, from top management right down to the operational level 
(Turban, et al., 2002. pp 3-37). In order to avoid loss or damage to this 
valuable resource, companies need to be serious about protecting their 
information. This protection is typically implemented in the form of various 
security controls (Barnard & Von Solms, 2000). However, it is very difficult 
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to know exactly which controls would be required in order to guarantee an 
acceptable minimum level of security. Furthermore, managing these controls 
to see that they are always up to date and implemented uniformly throughout 
the organization is a constant headache to organizations. 

When selecting the controls to implement in an organization, it is 
important to refer to accepted international standards (Von Solms, 1999). 
There exist several internationally accepted standards and codes of practice 
to assist organizations in the implementation and management of an 
organizational information security strategy. Some of the better known 
examples would include the ISO/IEC 17799 (British Standards Institute 
(BSI), 1999) and ISO/IEC 13335 also known as GMITS (Guidelines to the 
Management of Information Technology Security (GMITS), 1995). 

These standards and codes of practice provide organizations with 
guidelines specifying how the problem of managing information security 
should be approached (Von Solms, 1999). One of the primary controls 
identified by many of the major IT security standards published to date is the 
introduction of a corporate information security awareness program (BSI, 
1999; GMITS, 1995). The puipose of such a program is to educate the users 
about information security or, more specifically, to educate users about the 
individual roles they should play in the effective execution and maintenance 
of these controls. Most security controls, whether physical, technical, 
managerial or administrative in nature, requires some form of human 
involvement. This paper will examine this dependence of information 
security on human involvement with specific emphasis on the role user 
education has to play in a corporate information security strategy. It will then 
propose outcomes based education (OBE) as a pedagogical methodology 
suitable for the information security education needs of organizations. 



2. THE HUMAN SIDE OF INFORMATION 
SECURITY 

Information security controls can generally be sub-divided into three 
categories: Physical controls, Technical controls and Operational controls 
(Thomson, 1998, p. 29). Physical controls deal with the physical aspects of 
security, for example; the lock on the door of an office containing sensitive 
documents. Technical controls are controls of a technical nature, usually 
software based, for example; forcing a user to authenticate with a unique 
username and password before allowing the user to access the operating 
system. The third category, operational controls, collectively including 
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business-, administrative-, managerial-, and procedural controls, consist of 
all controls that deal with human behavior in one form or another. These 
controls would include those that deal with the creation of information 
security policies and procedures, and administration of other controls. Both 
physical and technical controls, even though they do not deal directly with 
operational issues, usually require some form of human involvement. In an 
organizational context, these controls would thus have to be supported by 
procedures outlining the employee’s involvement in the use of these 
controls. 

Employees, whether intentionally or through negligence, often due to a 
lack of knowledge, are the greatest threat to information security (Thomson, 
1998, p. 12, Mitnick & Simon, 2002, p. 3). Operational controls rely on 
human behavior. This means that these controls are arguably some of the 
weakest links in information security. Unfortunately, both physical and 
technical controls rely to some extent on these operational controls for 
effectiveness. As an example, an operational control might state that a user 
leaving his/her office must logoff from the operating system and lock his/her 
office door. If a user were to ignore this procedure, both the technical control 
forcing authentication and the physical control of having a lock on the door 
would be rendered useless. Thus, anyone who thinks that security products, 
i.e. technical and physical controls, alone, offer true security is settling for 
the illusion of security (Mitnick & Simon, 2002, p. 4). 

Siponen (2001) describes this tendency of organizations to settle for the 
illusion of security as a general human tendency to often blindly ignore 
complications in IT related issues. Without an adequate level of user co- 
operation and knowledge, many security techniques are liable to be misused 
or misinterpreted by users. This may result in even an adequate security 
measure becoming inadequate (Siponen, 2001) Organizations cannot protect 
the integrity, confidentiality, and availability of information in today’s 
highly networked systems environment without ensuring that each person 
involved understands his/her roles and responsibilities and is adequately 
trained to perform them (National Institute of Standards and Technology 
(NIST), 1998, p. 3). 

Teaching employees their roles and responsibilities relating to 
information security requires the investment of company resources in a user 
education program. However, budgetary requirements for security education 
and training are generally not a top priority for organizations (Nosworthy, 
2000). Organizations often spend most their information security budget on 
technical controls and fail to realize that a successful information security 
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management program requires a balance of technical and business controls 
(Nosworthy, 2000). Business controls in this sense refer to operational 
controls. According to Dhillon (1999), increasing awareness of security 
issues is the most cost-effective control that an organization can implement. 
However, in order to ensure that the maximum return on investment is 
gained, special care should be taken to ensure the success of the user 
education programs used. For educational programs this would mean 
ensuring adherence to proper pedagogical principles when these educational 
programs are compiled. 

Most current user education programs fail to pay adequate attention to 
behavioral theories (Siponen, 2001). The emphasis of user education 
programs should be to build an organizational sub-culture of security 
awareness, by instilling the aspects of information security in every 
employee as a natural way of performing his or her daily job (Von Solms, 
2000). Recent studies have indicated that the establishment of an information 
security “culture” in the organization is desirable for effective information 
security (Von Solms, 2000). Such a culture should support all business 
activities in such a way that information security becomes a natural aspect in 
the daily activities of every employee (Schlienger & Teufel, 2003). A 
detailed examination of how such a culture could be established in an 
organization falls outside the scope of this paper. Instead this paper will 
focus only on user education, one of the cornerstones required for the 
establishment of such a culture. For more information on the establishment 
of such a culture see e.g. (Van Niekerk & Von Solms, 2003; Schlienger & 
Teufel, 2003). 



3. ELEMENTS OF INFORMATION SECURITY 
EDUCATION 

The user education programs needed for information security purposes 
differ from traditional educational programs. Unlike traditional educational 
programs, these programs will primarily be aimed at teaching adults. Adults 
have well established, not formative, values, beliefs, and opinions (NIST, 
1998, p. 20). The educational methodology used should thus be suitable for 
adult education. Furthermore, there are several other requirements specific to 
the role that such a program will play in the overall organization’s 
information security efforts. In the following sections, this paper will suggest 
and attempt to motivate some of the features that should typically constitute 
such an information security education program. 
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3.1 Everyone should be able to “pass” the course. 

Nosworthy (2000) states that each person in the organization from the 
CEO to House Keeping staff must be aware of, and trained to exercise their 
responsibilities towards information security. However in traditional 
educational models there are usually a percentage of the learners who do not 
pass the course, or in other words, successfully meet the assessment criteria. 
In order for an organization's information to be secure, everyone needs to 
not only be trained, but to “pass” the training. Unlike traditional education, 
failing an information security educational program cannot be accepted. 
Workers at every level, even those who do not use a computer, are liable to 
be targeted (Mitnick & Simon, 2002, p. 39). This means that having even a 
single person who does not know his/her information security 
responsibilities should be unacceptable. 

3.2 Employees must know why information security is 
important and why a specific policy or control is in 
place. 

Recent studies have suggested that current information security 
awareness programs are failing (Siponen, 2001). This failure is due to many 
reasons. Schlienger & Teufel (2003) have shown that even employees who 
know their responsibilities with regards to information security will still 
disobey security policy if they disagree with the policy. They suggest that 
the mere awareness of the policies and procedures is in fact not sufficient, 
the users also need to know why a specific policy or control is in place 
(Schlienger & Teufel, 2003). In information security, being taught why a 
specific policy or control is in place is generally considered to be a feature of 
education, and not of awareness (Schlienger & Teufel, 2003; NIST, 1998, 
pp. 16-17). Information security “education” is generally sub-divided into 
three levels, namely; awareness, training and education. Awareness simply 
focuses attention on information security. Training is more interactive and 
tries to instill the necessary skills and competencies. Education integrates all 
of the security skills and competencies of the various functional specialties 
into a common body of knowledge and adds a multi-disciplinary study of 
concepts, issues, and principles (NIST, 1998, pp. 15-16). A feature of the 
educational level is that the user must understand why information security 
is important (Schlienger & Teufel, 2003; NIST, 1998, pp. 16-17). Obviously 
end-users do not require the same level of understanding as information 
security professionals (NIST, 1998, p. 14). You don't need to understand 
why procedures are in place or how the technologies work to use them 
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effectively (Tripathy, 2000; NIST 1998, p. 15). However, in information 
security, if a user asks why, it should always be explained (Tripathy, 2000). 

3.3 Learning materials should be customized to the 
needs of individual learners. 

In an organizational context, users of information exist at several levels. 
There are essentially three categories of users that need to be educated in 
information security awareness namely: The End User, IT Personnel and 
Top Management (Thompson, 1998). The National Institute for Science and 
Technology (NIST) expands on this classification by stating that training and 
education are to be provided selectively, based on individual responsibilities 
and needs. Specifically, training is to be provided to individuals based on 
their particular job functions (NIST, 1998, p. 43). The ISO/IEC 17799 states 
that the information security policy should be communicated throughout the 
organization to users in a form that is relevant, accessible and 
understandable to the intended reader (BSI, 1999, p. 3). According to NIST, 
individuals learn in several ways, but each person, as paid of his/her 
personality, has a preferred or primary learning style. Instruction can 
positively, or negatively, affect a student’s performance, depending on 
whether it is matched, or mismatched, with a student’s preferred learning 
style (NIST, 1998, p. 19). Thus, what should be taught to a specific 
individual user and how it should be taught, will depend on both the user’s 
preferred learning style, and the specific role that user plays within the 
organization. 

3.4 Users should be responsible for their own learning. 

In today’s organizations it is crucial to maximize return on investment. 
Through its very nature classroom training requires the availability of highly 
trained specialists to present the courses. It also requires that the learners 
take time off from their regular duties to attend classes. These factors make 
classroom training very expensive. One of the most cost-effective substitutes 
for traditional classroom training is to provide employees with intranet-based 
instruction (O’Brien, 1999, p.361). Such web-based instructional programs 
require individual learners to be responsible for their own acquisition of 
knowledge instead of being passive receptors in the process (ITiCSE 
Working Group on the Web and Distance Learning, 1997). Self-driven 
learning also enables organizations to make learning material available in a 
variety of formats. This is turn means users will have a choice of how they 
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are taught, which has already been shown to be a necessary feature of 
information security education. 

3.5 Users should be held accountable for their studies. 

Most information security standards make it clear that users should be 
held accountable for their information security responsibilities (BSI, 1999, 
pp. 8-10). These responsibilities are normally spelt out in the organization's 
information security policies and procedures. In an organization, policies 
function in a si mi lar fashion to laws. For laws, ignorance is not a valid 
defense. However ignorance of policy is an acceptable defense (Whitman & 
Mattord, 2003, p. 93). Thus, to be able to hold employees accountable for 
their actions, the organization should have proof, normally in the form of a 
signed form, that the employees have been educated regarding their 
responsibilities and that they understand and accept these responsibilities as 
laid out in the policies (Whitman & Mattord, 2003, p. 93). Wood (1997) 
suggests that all employees should be required, on an annual basis, to sign a 
statement saying that they have read and understood the information security 
policy manual. It should thus be clear that self-driven learning for 
information security purposes, as discussed previously, could only be used if 
the employees are also held accountable for their learning. Otherwise the 
organization could not legally hold the employees accountable for their 
actions. 

Many organizations have realized that their own employees are the 
biggest threat to their information systems (Von Solms, 2000). However, 
through the establishment of a culture of information security, users can 
become a security asset instead of being a threat (Von Solms, 2000). 
Education of employees plays a very important role in the establishment of 
such a culture. It is paramount that the people are educated to want to be 
more secure in their day to day operation (Nosworthy, 2000). Such a change 
of attitude is of utmost importance, because a change in attitude 
automatically leads to a subsequent behavioral change (Nosworthy, 2000). 
The employees can then become the organization's most valuable assets. 
Current programs used to educate employees, fails to pay sufficient attention 
to aspects related to the behavioral sciences (Siponen, 2001). 

It would make sense to adhere to a formal educational methodology 
when constructing such educational programs. The methodology used should 
be suitable for the specific needs of an information security user education 
program. Since the aim of the user education program is not to prepare the 
users for further levels of formal education, but rather to help them achieve 
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information security know-how for use in their everyday jobs, the 
educational methodology used should be chosen accordingly. Outcomes 
Based Education (OBE) is an educational methodology that might in fact be 
ideally suited for use in such programs. The aim of OBE is to help learners 
achieve a specific outcome, in this case information security awareness and 
know-how. 



4. OUTCOMES BASED EDUCATION 

OBE is defined as an approach to teaching and learning which stresses 
the need to be clear about what learners are expected to achieve. The 
educator states beforehand what “outcome” is expected of the learners. The 
role of the educator is then to help the learners achieve that outcome 
(Sieborger, 1998). 

Outcomes can be defined as either cross-curriculum (general outcomes) 
or specific outcomes. A cross-curriculum outcome can be seen as the desired 
effect that attaining a specific competency should have within the general 
environment within which the learner operates. A specific outcome is one 
that directly demonstrates the mastery of the appropriate skill that the learner 
should gain from the OBE program. 

For each outcome an assessment standard should be defined. These 
standards are necessary in order to provide feedback to the learners. 
According to Sieborger (1998) assessment is essential to OBE to measure 
the degree to which a learner has achieved an outcome. In fact being able to 
assess progress and provide feedback to the learner is a prerequisite for any 
educational program to be successful. Fingar (1996) states that feedback, 
specifically in the form of knowledge regarding the outcomes of the 
learners’ actions, is required for learning to take place. Furthermore this 
feedback should be continuous and constructive (Department Of Education 
(DOE), 2001). 

The educational process in general can be viewed as a system of teaching 
and learning activities that are tied together via various feedback loops. It 
also includes other functions such as assessment, admission, quality 
assurance, direction and support (Tait, 1997). All of these components can, 
and should, play a role in the creation of an effective information security 
education program. OBE can be viewed in three different ways: as a theory 
of education, a systematic structure for education, or the creation of 
educational material, and lastly as a classroom practice (Killen, 2000). OBE 
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can thus be seen as a complete educational system, which contains all the 
components such a system should have. 

According to Killen (2000), OBE is based upon three basic premises, 
namely: 

1. All students can learn and succeed, but not all in the same time or in the 
same way. 

2. Successful learning promotes even more successful learning. 

3. Schools (and teachers) control the conditions that determine whether or 
not students are successful at learning. 

From these basic premises four essential principles of OBE were 
developed (Killen, 2000). They are: 

1. Clarity of focus, which means that all teaching activities must be clearly 
focused on the desired outcome that the learners should achieve. 

2. Designing back, which means that the starting point for an OBE 
program’s design should be a clear definition of the desired results. The 
rest of the curriculum should be designed according to this desired 
outcome. 

3. High expectations for all students. OBE not only assumes that everyone 
can attain the desired outcomes, it also requires that high standards 
should be set. This is based on evidence that learners are more likely to 
attain high standards when they are challenged by what is expected from 
them. 

4. Expanded opportunities for all learners. This final principle of OBE is 
based on the idea that not everyone learns the same way or at the same 
pace. Thus, in OBE, learners are given many opportunities for learning. 
Achieving the desired outcome is deemed more important than how that 
outcome was reached. 

In order for an educational program to be classified as being outcomes 
based, it has to adhere to all four of these principles. 



5. OUTCOMES BASED EDUCATION FOR 
INFORMATION SECURITY 

Up to this point this paper has shown the requirements an educational 
methodology would have to meet in order for it to be suitable for 
information security education. It has also introduced OBE and briefly 
outlined the basic premises and the principles of this educational 
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methodology. It will now attempt to show that OBE is in fact well suited to 
the needs of information security. 

The first requirement listed for information security education was that 
everyone should be able to “pass” the course. Clearly OBE fulfils this 
requirement since the first premise upon which OBE is based is the 
assumption that all students can succeed and learn. 

Secondly, for information security education to be successful, employees 
must know why information security is important and why a specific policy 
or control is in place. Course developers should be aware that adults have 
well-established values, beliefs, and opinions. Adults relate new information 
and knowledge to previously learned information, experiences, and values 
which might result in misunderstanding (NIST, 1998, p. 20). It is even 
possible that they understand correctly but still don’t adhere to a security 
policy because it conflicts with their beliefs and values (Schlienger & 
Teufel, 2003). One of the fundamental differences between OBE and 
traditional educational models is the fact that rote learning is completely 
unacceptable in OBE. OBE requires the learner to identify and solve 
problems in which responses display that responsible decisions using critical 
and creative thinking have been made (Olivier, 1998; Pretorius, 1998). This 
type of thinking requires not only knowledge but also insight. Insight 
requires the learner to know why they are doing something (NIST, 1998, p. 
18). According to Killen (2000) each outcome based educational program 
must have a rationale to explain why the program exists. 

The third requirement of information security education identified was 
that learning materials should be customized to the needs of individual 
learners. The first basic premise of OBE not only states that all students can 
learn and succeed, but it also states that all students cannot necessarily do 
this in the same time or in the same way. This premise is also expanded on in 
the fourth principle of OBE, which states that learners should be given many 
opportunities for learning. OBE thus recognizes that individuals learn in 
different ways and at different paces. For a program to be truly outcomes 
based it is vital that learning materials are provided in as customized a 
format as possible for individual learners. However, according to Killen 
(2000) the practical difficulties of providing expanded opportunities must be 
weighed against the long-term benefits of enabling all learners to be 
successful. 

The fourth and fifth suggested requirements of information security 
education state that users should be both responsible and accountable for 
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their own learning. In other words, the users should take ownership of their 
own learning. Ownership of their learning and self-driven learning are 
central concepts to OBE. Because OBE recognizes that different students 
will learn at a different pace, OBE encourages self-driven learning. The 
ability to effectively manage one’s own time, and learning abilities, are one 
of the critical cross curriculum outcomes identified for all South African 
students (South African Qualification Authority (SAQA), 2000). The OBE 
model strives to move away from teacher centeredness, towards learner- 
centered education (Malan, 2000). Thus, responsibility for their own studies 
can be seen to be central to OBE. Hand in hand with responsibility is 
accountability. OBE places major emphasis on assessment as a tool to 
provide feedback on progress to the learner, and as a tool for measuring 
whether the desired outcomes have been reached (Killen, 2000; Malan, 
2000). Assessment makes students accountable for their studies. 

The following is a brief summary of the relationships between OBE and 
information security education concluded thus far: 

1. In terms of an organization's overall information security effort it is vital 
for all users to ultimately pass the information security course. OBE 
requires a high expectation for all learners to do well, and additionally 
requires that learners be given multiple opportunities to prove that they 
have achieved the desired outcomes. 

2. Employees should be told why a specific information security policy, or 
control, that applies to them, is in place. In OBE memorization of 
concepts is not sufficient, OBE requires learners to have insight and thus 
to understand why they are doing something. 

3. Due to the different levels of prior education, different organizational 
roles and different individual preferences of employees in an 
organization, learning materials used in an organization should be 
customized to the needs of individual learners. Recognizing that 
individuals learn in different ways and at different paces are concepts 
central to OBE. Flexible learning material, to suit individual needs, is a 
pre-requisite in an outcomes based program. 

4. In order to control costs, and to provide the above-mentioned flexibility 
in learning materials, organizational learners should be responsible for 
their own learning. The organization should supply the learning materials 
in formats that support as many learning styles as possible, but 
responsibility for using those materials should ultimately rest with the 
individual employees. Employees should thus take ownership of their 
learning. This concept of ownership and self-driven learning are central 
to OBE, which is essentially a learner centered educational methodology. 
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5. Hand-in-hand with ownership and responsibility is accountability. 
Organizations need to make employees accountable for their own 
learning, otherwise, they would not be able to hold them accountable for 
negligence stemming from a lack of education. In OBE, and other 
educational methodologies, assessment plays a vital role. Learners must 
be held accountable for their learning in order to get them to accept 
ownership of their learning. 

OBE can thus be seen to match all of the requirements for information 
security education identified by this paper. In fact, a closer examination of 
the “results-based” educational framework advocated by NIST (1998) for 
information security programs will reveal many elements that are common 
to OBE as well. For example, NIST argues that information security 
education programs should be “results-based” and should focus on job 
functions, or roles and responsibilities specific to individuals (NIST, 1998, p. 
iii). OBE aims to help learners achieve a specific outcome or attain a 
specific skill. These outcomes should reflect the complexities of the real life 
and the roles the learners would have to fulfill (Killen, 2000). In an 
organizational context this would mean that the outcomes would have to 
reflect skills needed in the individual’s day-to-day job functions. Several 
other such similarities exist, but a detailed examination of these falls outside 
the scope of this paper. Instead, the contextual role of OBE in the 
establishment of a corporate culture of information security will be briefly 
examined. 

According to Van Niekerk and Von Solms (2003), establishing a 
corporate culture will have to start with top management, who has to show 
commitment to information security via vision statements, policies and their 
own behavior. Secondly, a user education program should be constructed to 
educate the users about these policies and the behavior expected from them. 
Thirdly, middle management will have to positively reinforce any learning 
that took place by giving continuous feedback to the users. This feedback 
could take the form of performance metrics, e.g. key performance indicators, 
for individual employees. Ultimately, it will be this continuous 
reinforcement by middle management that produces the change in behavior. 

If OBE is to be used in this process, the cross-curriculum outcomes and 
measurables for these outcomes would have to be clearly defined. The 
programs to teach employees the necessary skills to attain these outcomes 
would then have to be drawn up and made available in a variety of learning 
formats. These could for example include a set of online tutorials, security 
manuals, videos or even lunch-hour workshops. This will ensure that each 
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user has a choice in terms of how they learn, which satisfies the third 
requirement as outlined previously. Part of these programs would have to 
discuss the possible consequences to both the individual and the organization 
as a whole, should an employee fail to comply to the taught procedures. This 
will satisfy the requirement that user should know why they are taught a 
skih. 

Finally, to ensure that the users take ownership of their own learning, and 
to hold them accountable for their own learning, compliance metrics should 
be gathered. These metrics could then be used as part of individual user’s 
key performance indicators. This can fulfill the role of the continuous 
feedback from middle management that is required to change behavior. 
These metrics could be gathered per department, branch, etc. and can then 
also be made part of the key performance indicators for the appropriate 
middle level manager. The old adage that what you measure is what you get 
will then play its part by ensuring that the appropriate line managers will 
feed this statistics back to their staff since it impacts on their own 
performance evaluations. Since the learning material should always be 
available and the employees are measured against their compliance, 
eventually all the users should reach a level of compliance that indicates they 
have “passed” the course. It should thus be very possible to integrate all the 
requirements of information security education, as identified in this paper, 
into the process aimed at introducing a change in the organizational culture, 
as outlined by Van Niekerk and Von Solms (2003). 



6 . CONCLUSION 

Humans today live in an emerging global information society, with a 
global economy that is increasingly dependent on the creation, management, 
and distribution of i nf ormation resources. Information and its use permeate 
all aspects of modem society. Today, most organizations need information 
systems to survive and prosper. It is therefore imperative that modem 
organizations, operating in this global information society, take the 
protection of their i nf ormation resources seriously. 

This paper has pointed out that this protection of information resources 
are to a large extent dependent on human co-operated behavior. It also 
pointed out that this dependence on human behavior makes it necessary to 
have a user education program to educate users regarding their roles and 
responsibilities towards information security. This paper proposed several 
“elements”, or properties such an information security education program 
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should have in order for it to suit the needs of modem organizations. These 
included: 

- Everyone should be able to “pass” the course. 

- Employees must know why information security is important and why a 
specific policy or control is in place. 

- Learning materials should be customized to the needs of individual 
learners. 

- Users should be responsible for their own learning. 

- Users should be held accountable for their studies. 

Each of these proposed elements were argued in earlier sections of this 
paper. 

The same elements were shown to be present in OBE, an existing 
pedagogical methodology. The possible role of OBE in the context of 
attempting to change organizational culture, were also briefly examined. 
This paper argued that OBE could be seen to be an excellent fit for the needs 
of information security education and is definitely a solution to these needs. 
It has been suggested that information security, because it depends on human 
behavior, should look at the human sciences when attempting to solve 
problems relating to the roles humans play in information security. This 
paper aims to reinforce that suggestion. Educationalists spend many years 
developing models such as outcomes based education (OBE). These models 
have been extensively tested and critically examined in the literature. It is the 
contention of this paper that instead of “re-inventing the wheel” when 
designing user education programs, information security practitioners should 
“borrow” methodologies, like OBE, from the educational sciences. Future 
researchers who wish to solve information security education problems 
should be basing their work on sound pedagogical models. 
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Abstract: All organisations possess a corporate culture, whether they are aware of it or 

not. This culture determines, to a large extent, the effectiveness of an 
organisation and the behaviour of employees within an organisation. As part of 
its corporate governance duties, senior management is responsible for the 
protection of the assets of its organisation. And as information is a vital asset to 
most organisations, senior management is ultimately responsible for the 
protection of information assets. An ideal coiporate culture, in terms of 
information security, would be one where the second-nature behaviour of 
employees, determined by the culture, is to protect information assets. This 
paper will provide initial guidelines as to how to establish this culture by 
examining Schein's model and by investigating how to start implementing 
Corporate Information Security Obedience. 



Key words: Information Security; Corporate Governance; Corporate Culture; Goal 
Consensus; Corporate Information Security Obedience. 



1. INTRODUCTION 

Information is a vital asset and it is often described as the lifeblood of 
organisations (Gordon, 2002, online). It is, however, difficult to measure the 
exact value of the information that an organisation possesses. Still, it is 
evident that any breach in the confidentiality, integrity or availability of 
information could result in devastating consequences for an organisation 
(Gordon and Glickson LLC, 2001, online). Information security practices, 
together with other physical and technological means, therefore, need to be 
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implemented and managed within the organisation to ensure that the 
information is kept safe and secure (Krige, 1999, p 7). 

As information is a fundamental organisational asset, its security must be 
integrated into the organisation’s overall management plan (Lane, 1985, pp 
2-3; Smith, 1989, p 193). This plan should be guided by good corporate 
governance practices. Corporate governance is one of the significant issues 
in business at present. Corporate governance is there to endorse the 
competent use of resources and to involve accountability for the 
management of those resources (Gaines, 2002, online; World Bank Group, 
1999, online). 

Senior management, as part of its corporate governance duties, should 
encourage employees to adhere to the behaviour specified by senior 
management to contribute towards a successful organisation. Senior 
management should preferably not autocratically enforce this behaviour, but 
encourage it as naturally as possible, resulting in the correct behaviour 
becoming part of the corporate culture. Corporate culture is the outcome of 
all the collective, taken-for-granted assumptions that a group has learned 
throughout history. It is the residue of success (Schein, 1999, p 29). 

The purpose of this paper is to detail the ideal corporate culture that 
should exist for it to be effective in protecting information. The paper 
initially investigates the role senior management should play in protecting 
information assets and how the creation and execution of the Corporate 
Information Security Policy could play a part in cultivating an information 
security conscious culture. The emphasis of this paper is to start 

investigating how to implement Corporate Information Security Obedience 
through expanding Schein ’s model of corporate culture into a two- 
dimensional model representing both management and employee 
dimensions. 



2. MANAGING AN ORGANISATION 

Corporate governance is extremely important for managing the operation 
of organisations. Senior management, through effective corporate 
governance practices, must lead its organisation through ‘direction giving’ 
and strategy implementation (Planting, 2001, online). In order to implement 
this management strategy, the King Report recommends that four central 
pillar's of corporate governance are visible in an organisation, namely; 
accountability, responsibility, fairness and transparency (2001, p 17). 
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Accountability provides assurance that individuals and groups in an 
organisation are accountable for the decisions and actions that they take 
(King Report, 2001, p 14). The pillar of responsibility indicates that 
corrective action should be taken against negligence and misconduct (King 
Report, 2001, p 14). The third pillar, fairness, attempts to ensure that there 
is a balance in an organisation, in terms of the recognition various parties 
should receive. The final pillar, transparency, is the measure of how 
effective management is at making necessary information available in an 
open, precise and timely manner (King Report, 2001, pp. 13-14). These four 
pillars contribute to the overall goal of proper corporate governance. 

Through effective corporate governance, senior management is 
accountable and responsible for the wellbeing of its organisation and must 
ensure that the assets of its organisation are well protected. One such asset is 
information, and, therefore, it is the responsibility of senior management to 
protect the information assets of its organisation (King Report, 2001, p 17; 
Deloitte & Touche, 2002, online). Another responsibility of senior 
management is to cultivate and shape the corporate culture of its 
organisation. 



3. CORPORATE CULTURE 

Organisations develop cultures whether they want to or not. The culture 
of an organisation operates at both a conscious and unconscious level and if 
management does not understand the culture in its organisation, it could 
prove to be fatal in today’s business world (Hagberg Consulting Group, 
2002, online). Edgar H. Schein defines three levels of culture. 

3.1 The three levels of corporate culture 

One of the problems when trying to understand culture is to oversimplify 
this complex field. Culture exists at several levels, which range from the 
very visible to the tacit and invisible. Furthermore, it is imperative that these 
levels are managed and understood (Schein, 1999, p 15). 

The first level of corporate culture is the Artifacts Level. This is probably 
the easiest level to observe as it consists of the visible behaviour of 
individuals (Hagberg Consulting Group, 2002, online; Schein, 1999, p 15). 
At this level, it is still not clear as to why employees of an organisation 
behave in this way and why each organisation is constructed as it is (Schein, 
1999, p 16). This leads to an investigation of the second level of culture. 
The Espoused Values Level of corporate culture is the level where the values 
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an organisation is promoting are outlined in the organisation’s policies 
(Schein, 1999,p 17). 

There could be a few noticeable inconsistencies between some of the 
Espoused Values or goals of an organisation and the visible behaviour of 
individuals as seen at the Artifacts Level. These inconsistencies indicate that 
a deeper level of thought is driving the obvious behaviour of the employees 
(Schein, 1999, p 18). To truly understand the visible behaviour and culture 
of an organisation, the Shared Tacit Assumptions Level of culture must be 
understood (Schein, 1999, pp 18-19). 

This Shared Tacit Assumptions Level represents the core of corporate 
culture. This core is the mutually learned beliefs and assumptions that 
become taken for granted as the organisation continues to be successful. The 
beliefs and values found at this level are second-nature to employees and 
influence the decisions and actions that they take (Schein, 1999, p 21). The 
corporate culture of an organisation should assist senior management in 
enforcing and ensuring good information security practices. Together with 
corporate culture, good corporate governance practices are essential for 
successful information security. 



4. INFORMATION SECURITY AND CORPORATE 
GOVERNANCE 

Information security transcends many facets of an organisation and is one 
of the most significant policy and structure decisions in an organisation 
(Spafford, 1998, online). It is becoming progressively more obvious that 
access to correct information at the right time is imperative to gaining 
competitive advantage or simply remaining in business 
(Price WaterhouseCoopers, 2002, p 1). Policies and procedures are the 
responsibility of senior management as part of their corporate governance 
duties. Therefore, it follows that senior management should be responsible 
for setting strategic direction regarding the protection of information. One 
of the ways for management to express its commitment to information 
security in its organisation is to provide support towards a documented 
Corporate Information Security Policy, as it is one of the controls considered 
common best practice in terms of information security (BS 7799-1, 1999, p 
4). 
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5. CORPORATE INFORMATION SECURITY 
POLICY 

The Corporate Information Security Policy is a direction-giving document 
and should define the objectives and boundaries of the information security 
program. The main aim of any policy is to influence and determine 
decisions, actions and other issues, by specifying what behaviour is 
acceptable and what behaviour is unacceptable. The behaviour and actions 
of employees often represents the weakest link in the information security 
process (Martins & Eloff, 2002, p 203). Policies and procedures are, 
therefore, organisational laws that determine acceptable and unacceptable 
conduct within the context of corporate culture (Whitman & Mattord, 2003, 
p 194). Additionally, it should indicate management's commitment and 
support for information security and should describe the role that the policy 
plays in reaching the organisation’s vision (Hone, 2003, CD-ROM; BS 
7799-1, 1999, p 5). The correct behaviour, as envisioned in the Corporate 
Information Security Policy, should become second-nature to employees and 
the corporate culture should adapt to reflect this. 



6. THE NEED TO CHANGE THE CORPORATE 
CULTURE 

The acceptable actions and behaviour of employees towards information 
as outlined in the Corporate Information Security Policy should become the 
behaviour that employees demonstrate in their daily activities. Physical and 
technical controls are tangible controls that attempt to enforce compliance 
with information security practices and procedures in an organisation, but it 
is really operational controls and the resulting behaviour and actions of the 
employees and the processes they use that can sustain information security 
practices (Deloitte & Touche, 2002, online). As seen previously, the 
corporate culture of an organisation largely determines the behaviour of 
employees. Therefore, for the acceptable behaviour to become the de facto 
behaviour of employees, the corporate culture must be changed. 

Apprehension arises when there is the prospect of a big change in the 
environment that employees know so well (Drennan, 1992, p 9). The power 
to change corporate culture lies principally in the hands of senior 
management and transforming the culture takes vision, commitment and 
determination. Without this combination it will not happen, and it certainly 
will not last (Drennan, 1992, p 3-4). Employees of an organisation may be 
coerced into changing their obvious behaviour, but this behavioural change 




24 



Kerry-Lynn Thomson and Rossouw von Solrns 



will not become established until the deepest level of culture, the Shared 
Tacit Assumptions Level, experiences a transformation (Schein, 1999, p 26). 

A new corporate culture cannot simply be ‘created’. Senior management 
can demand or encourage a new way of working and thinking, management 
can monitor the changes to make sure that they are done, but employees of 
the organisation will not internalise the changes and make it part of the new 
culture unless they understand the benefit of these changes. It is senior 
management’s responsibility to highlight that the changes needed in the 
current culture are worthwhile and important (Schein, 1999, p 187). Senior 
management, through effective corporate governance practices, must ensure 
that the policies of the organisation are in line with the vision for the 
organisation. Senior management should then enforce these policies so that 
they become paid of the way things are done in the organisation and ensure 
that employees understand the benefits to their organisation. However, it is 
not enough for senior management to only enforce its policies - it is 
important for the attitudes of senior management to encourage this change in 
the corporate culture. If nothing changes in the procedures of the 
organisation or the attitudes of its management, employee attitudes will not 
change either (Drennan, 1992, p 3). 



7. ORGANISATIONAL ENVIRONMENTS 

There are three key environments that could exist in organisations. These 
environments dictate how the organisation is run and how employees react in 
certain circumstances. These environments are Coercive, Utilitarian and 
Goal Consensus (Schein, 1992, online). 

The Coercive Environment is one where employees feel alienated in their 
environment and seek to leave this environment if possible. Peer 
relationships in this environment develop in defence of the authority in the 
organisation, in other words, senior management. These employees perform 
tasks because they must, rather than because they agree with the actions and 
decisions of senior management (Schein, 1992, online). The Utilitarian 
E nvironment is one where employees participate in their organisation by 
evolving workgroups based on an incentive system. In this environment 
employees will do as senior management wishes because of the rewards that 
they will receive. They still do not necessarily agree with senior 
management (Schein, 1992, online). 

Figure 1 illustrates the Coercive and Utilitarian Environments mapped 
onto Schein’ s model of corporate culture. It shows that, in the Coercive and 
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Utilitarian Environments, the Artifacts Level of both management and 
employees are in concurrence with one another. In the Coercive 
Environment this indicates that there is stringent management control and 
employees adhere to the behaviour specified by management, or else harsh 
corrective action will be taken against them. In the Utilitarian Environment 
this concurrence indicates that employees will do as management wishes in 
return for a reward. As indicated in the Figure, the Shared Tacit 
Assumptions Level in both environments is not in line at all - the beliefs and 
values of management and employees are not the same. Without either strict 
management or incentives, the correct behaviour of employees would fade. 




In Figure 1 the Information Security Policy is found at the Espoused 
Values Level of Schein’s model and found on the Management side. This 
indicates that the contents of the policy are in agreement with what 
management wishes, but not at all in line with the beliefs and values of the 
employees. It is vital that employees are in agreement with their work 
policies, as it is indicated that productivity and performance will increase by 
30% to 40% if employees are satisfied with the policies (Schafer, 2003, 
online). Consequently, employees should be satisfied with the Corporate 
Information Security Policy. If the Information Security Policy is not 
discussed, supported and evaluated by management and employees, the 
Policy may remain a ‘piece of paper' (Canadian Labour Program, 2003, 
online). 

The third organisational environment, the Goal Consensus Environment, 
is one where employees are morally involved with the organisation. They 
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identify with the organisation and share the same beliefs and values of senior 
management and they are striving towards the vision of senior management. 
In this environment, employees’ actions are not as a result of being forced to 
do so or because of a reward, but because they are in agreement with the 
way things are done in the organisation (Schein, 1992, online). This Goal 
Consensus Environment could be seen as a corporate culture which is in line 
with the vision of senior management. This would mean that ‘right’ 
decisions and actions of employees become second-nature and part of their 
culture (Schein, 1999, p 15-17). 



Employee ! Management 

I 

I 

I 

Artifacts 

I 




Shared Tacit Assumptions 

I 



I 



Figure 2. The goal consensus environment and Schein's model 



Figure 2 illustrates that in the Goal Consensus Environment, all three 
levels of corporate culture in Schein’s model are in agreement. This is an 
ideal corporate culture, in terms of information security, as the information 
security vision expressed at the Espoused Values Level by senior 
management is supported by the actions and behaviour of employees at the 
Artifacts Level. This level is determined by the Shared Tacit Assumptions 
Level of corporate culture. In the Figure, the Corporate Information Security 
Policy is found at the intersection of management and employees. This 
indicates that the beliefs and values of the employees are in agreement with 
senior management’s vision for information security. This would indicate 
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that Corporate Information Security Obedience has been implemented in this 
organisational environment (Thomson & von Solms, 2003, p 107). 



8. IMPLEMENTING CORPORATE INFORMATION 
SECURITY OBEDIENCE 

As seen previously, corporate culture is the residue of success. In other 
words, it is the set of procedures that senior management and employees of 
an organisation follow in order to be successful. For information security 
practices to be successful, it is important for Corporate Information Security 
Obedience to be implemented in an organisation. 

By implementing Information Security Obedience, the de facto behaviour 
of employees towards information security should be the correct behaviour 
outlined in the Information Security Policy. In order to do this, the Espoused 
Values and Shared Tacit Assumptions Level of Schein’s model must be 
addressed. Senior management must have a very clear vision as to what 
correct behaviour is in terms of information security. Management should 
then analyse its current corporate culture and identify the cultural elements 
that need to change (Spotlight, 2002, online). The Espoused Values Level is 
where the organisational policies, including the Corporate Information 
Security Policy, of an organisation are created by senior management. In 
order for Information Security Obedience to be implemented, the 
Information Security Policy contents must be drafted and communicated in a 
way that is acceptable in terms of the employees’ beliefs and values. One 
way to do this is to involve employees in decision-making processes, taking 
into account employee welfare. If employees do not agree with the 
Corporate Information Security Policy or do not understand the benefits of 
the change in behaviour they will not adhere to the correct behaviour 
(Goal/QPC, 2003, online). 

Correct behaviour should be encouraged and displayed by senior 
management, which will, to a large extent, shape the corporate culture 
(Hagberg Consulting Group, 2002, online). If this new, correct behaviour is 
an improvement on the current behaviour it should begin to influence the 
beliefs and values of employees found at the Shared Tacit Assumptions 
Level. This in turn should begin to shape the corporate culture (Schein, 
1999, p 23). This would mean that the Espoused Values Level and the 
associated Information Security Policy is in line with the Shared Tacit 
Assumptions Level of employees and Corporate Information Security 
Obedience has been achieved. 
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9. CONCLUSION 

Information is a vital asset in most organisations and as such should be 
well protected through effective information security practices. One of the 
problems facing the protection of information is the actions and behaviour of 
the employees in an organisation. If correct information security practices 
could become second-nature to employees and part of the way they conduct 
their daily activities, it would, to a large extent, eliminate this problem. This 
would assist in the creation of an environment of Corporate Information 
Security Obedience, where the information security procedures outlined by 
senior management in the Corporate Information Security Policy is the 
behaviour displayed by employees. 

In order to implement Information Security Obedience the beliefs and 
values of employees, in terms of information security, must be addressed at 
the root level of Shared Tacit Assumptions. This level must be aligned with 
the contents of the Corporate Information Security Policy found at the 
Espoused Values Level. If these two levels are in concurrence with one 
another, it will mean that the information security practices employed by 
employees is the same as the correct information security practices outlined 
at the Espoused Values Level. This paper has outlined the reason that 
Corporate Information Security Obedience is necessary for employees to 
fully understand the role they must play in information security in their 
organisation. This should, to a large extent, eradicate the incorrect 
information security practices performed by employees and further research 
will continue to investigate the action that should be taken to firmly entrench 
correct information security practices in an organisation through Corporate 
Information Security Obedience. 

At present, the concept of implementing Corporate Information Security 
Obedience is being researched. Therefore, there are no further 
recommendations on how to accomplish this implementation included in this 
paper. These recommendations will form part of further research. 
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Abstract: Critical Information Infrastructure has become a priority for all levels of 

management. It is one of the key components of efficient business and 
business continuity plans. There is a need for a new security methodology to 
deal with the new and unique attack threats and vulnerabilities associated with 
the new information technology security paradigm. CIIP-RAM, is a new 
security risk analysis method which copes with the shift from 
computer/information security to critical information infrastructure protection. 
This type of methodology is the next step toward handling information 
technology security risk at all levels from upper management information 
security down to firewall configurations. The paper will present the 
methodology of the new techniques and their application to critical 
information infrastructure protection. The associated advantages of this 
methodology will also be discussed. 

Key words: Critical Information Infrastructure, Security Risk Analysis and Information 

Security. 



1. INTRODUCTION 

Understanding and managing Critical Information Infrastructure (CII) security 
risks is a priority to most organisations dealing with Information Technology (IT) 
and Information Warfare (IW) scenarios today (Libicki 2000). Traditional security 
risk analysis was well suited to these tasks within the paradigm of computer security 
where the focus was on securing tangible items such as computing and 
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communications equipment (NCS 1996, Cramer 1998). With the growth of 
information interchange and reliance on information infrastructure, the ability to 
understand where vulnerabilities lie within an organisation, regardless of size, has 
become extremely difficult (NIPC 1996). To place a value on the information that is 
owned and used by an organisation is virtually an impossible task (Busuttil and 
Warren 2001a). The suitability of risk analysis to assist in managing Critical 
Information Infrastructure-related security risks is unqualified, however studies have 
been undertaken to build frameworks and methodologies for modelling Information 
Attacks (Beer 1984, Molander et al. 1996, Johnson 1997, Busuttil and Warren 
2001b, Hutchinson and Warren 2001) which will assist greatly in applying risk 
analysis concepts and methodologies to the burgeoning information technology 
security paradigm, Information Warfare. The concept ofbehind this unique method 
of security risk analysis takes the form of the conceptual model of layered logical 
transformation models (LTMs) (Busuttil and Warren 2002). These models allow 
stakeholders to apply risk analysis to traditional IW scenarios so as to deal with the 
problems of scalability and inaccurate cost analysis as well as being dynamic 
enough to keep up with the constant changes occurring in information infrastructure 
and information attacks. 



2. A NEW METHOD OF SECURITY RISK 
ANALYSIS AND INFORMATION 
INFRASTRUCTURE PROTECTION 

Third generation security risk analysis methodologies, LTMs, were designed to 
work well when built into information system security risk analysis scenarios from 
the beginning (Baskerville 1993). The major characteristics of IW and CII 
Protection which set them apart from information security (IS) are the need to take 
(1) organisational scalability, (2) flexibility and (3) difficulty in cost evaluating of 
threats, vulnerabilities and attacks into account when considering CII Issues. So to 
adapt LTM security risk analysis technology from IS to CII protection these issues 
of scalability and adaptability must first be dealt with. 

One of the major advantages of LTMs are the ability to build security into 
information systems in an adaptable manner (Baskerville 1993). The flexibility of 
control that is possible when designing security using LTMs is a definite strength 
when dealing with IW concerns as threats, vulnerabilities and targets are constantly 
changing. The problem of scalability is the need to deal with infrastructure at many 
(Global, National, Organisational etc) levels. This can be dealt with by bringing 
forward the concept of layering the LTMs so that each level of information 
infrastructure can have one-to-many LTMs that each depicts a security-based 
problem/solution pairing. Any number or level of information infrastructures can be 
included in the overall model. This way of dealing with issues allow the entire 
organization to deal with security as a cultural issue rather than leaving the task up 
to management armed with baseline methodologies, and an ever increasing work 
load. 

The problem of cost evaluation influencing critical system security is solved, as 
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LTMs do not make cost evaluation a major part of the decision making process. 
CH-based cost evaluation is virtually impossible, so factoring it in but at a lower 
level is a way of making sure security is built well over the breadth and depth of the 
system. Focusing on one seemingly major, but, actually minor area to secure can 
often be a downfall of organisations (Cramer 1997). The only minor difficulty is the 
need to classify which information infrastructure level contains particular entities, 
problems etc. A proposed solution to this problem is to also include scope in the 
modelling methodology to handle infrastructure interfaces. This would be where 
security issues regarding physical and/or logical links between two infrastructure 
levels would be discussed. 

The proposal of the idea of a new LLTM-based security risk analysis model 
comes about as a result of the lack of suitability of the aforementioned security risk 
analysis methodologies to Information Warfare and CII protection (Busuttil and 
Warren 2002). The lack of suitability of SRA methodologies comes about due to 
insufficiencies in the current standards and guidelines that current infrastructure 
security professionals are required to work within. This next generation will involve 
the application of logical transformation methods across the layers of information 
infrastructure discussed in table 1. 



3. CRITICAL INFORMATION INFRASTRUCTURE 

PROTECTION - RISK ANALYSIS METHODOLOGY 

When building an information security system using logical transformation 
models there are a number of steps that need to be followed. Firstly, a system 
implementation participation group representing a large cross-section of the 
involved system users should undertake the approach as this will assist in the 
exposition of infrastructure definitions, vulnerabilities and countermeasures. For 
each defined piece of the information infrastructure the following information needs 
to be stored: 

• Infrastructure definitions; 

• An Infrastructure vulnerability assessment on each infrastructure level. 

Once a vulnerability assessment has been completed the group can then attempt 

to map the vulnerabilities to areas of infrastructure and organisational responsibility 
so as to get an overall understanding of the problems that face the organisation 
undertaking this risk analysis approach. The following formal stages are required 
for completing this new method of security risk analysis: 

1. Form system implementation participation group; 

2. Define Infrastructure; 

3. Complete vulnerability assessment on each infrastructure level; 

4. Derive countermeasures based on findings from steps 2 and 3. 

Stage 1 should be completed once at the beginning of the lifecycle of the risk 
analysis process. Stage 2 should be completed once for each piece of infrastructure 
that is introduced to the overall system. Stages 3 and 4 should be completed once at 
the beginning of the analysis to cover all the parts that exist at this time within the 
infrastructure system and should be updated regularly for both new and previously 
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integrated infrastructure entities. A step-by-step description of each of the 
aforementioned stages follows. 

3.1 INTRODUCTION TO STAGE 1 OF CIIP-RAM 

The first stage in CIIP-RAM (Critical Information Infrastructure Protection - 
Risk Analysis Methodology) was originally to construct a committee with a wide 
cross-section of understanding regarding the current computing environment within 
the organisation in which the risk analysis is being undertaken. This committee was 
designed to encompass people from all levels of the organisation e.g. management 
to clerks, and also different areas of expertise e.g. computing to accounting. The 
reason for this diversity to be inherent within the panel undertaking the analysis is 
that the organisation are looking for all information infrastructure security risks and 
the wider the net is cast the more likely each ensuing stage will be completed to an 
efficient level. 

The concept of bringing people’s concerns to the discussion table or at least 
voicing opinions is believed to be an important step in constructing systems that are 
efficient (Mumford and Henshall 1979). However, the major goals of forming a 
committee are often not met if a leader champions the group with strong views 
toward an issue or with a preconceived and/or stubborn approach to the process 
(Davey 2002). In view of this situation, a more effective approach to the first stage 
of the methodology is to accept representative views in electronic form and allow 
computing technology and a system operator to take the form of a trusted third party 
which offers pre-programmed cataloguing and indexing of the problems and 
formulates them in a way so as to allow easy understanding of where the problem 
lies, who is affected and also when and how the problem occurs or has occurred in 
the past. This approach offers two major advantages over the original committee- 
based approach. Firstly it allows issues to be raised in an unfettered manner by the 
system implementation participation group and secondly, the results are stored in an 
easy to read and recall environment which can be access controlled. This method of 
system development has been characterised by the Joint Application Development 
(JAD) methodology originally employed in the early 1970’s by IBM as a way of 
designing systems which fit requirements of all the users. JAD required a number of 
participants from all areas within the project scope as well as outsiders to discuss 
and document the system requirements whilst also communicating with those who 
would ultimately use, implement and maintain the system (Hoffer et al 2002). It 
was originally designed to cater to the creation of computing and information 
systems. The creation and implementation of a security policy is similar as there is 
a final goal and an ongoing, sign-posted, evolutionary process to achieve this goal. 

3.2 CIIP-RAM Stage 1 - Form system implementation 
participation group 



Stage 1 of CIIP-RAM is described in detail within sections 3.2.1 - 3.2.3. 
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3.2.1 CUP-RAM Stage 1.1 - Assemble Group of Stakeholders 

The first step toward the application of the CIIP-RAM methodology is the 
assembly of a system implementation participation group. The main focus of this 
group is to collect and present, without prejudice or bias, the concerns of the 
stakeholders, users, developers etc. of the new security culture. Using either a 
manual or computer-based system, depicted in figure 1, as a tool for information 
collection this group should see the first implementation cycle through whilst also 
ensuring that new system entities be they human or non-human are kept informed, 
updated, secured and involved with new and changing policy. 
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Figure 1 : Screenshot depicting CIIP-RAM System Step 1.1 (Section 3.2.1) 



3.2.2 CIIP-RAM Stage 1.2 - Instruct Group as to the Goals of the 
Exercise 



The instruction of the group as to the goals of this new exercise is a crucial step 
in the creation and sustainability of new policy and culture. It is important that the 
group members can understand the need for change in security policy and culture 
through training with regards to goals of this exercise. It is also important that 
group members are able to communicate to other members of the organisation in a 
concise manner what changes will be put in place and the reason for these changes. 
The ability to put forward new and unforeseen issues and problems is also a key task 
for system implementation participation group members. The overall goal of the 
exercise is to eradicate information infrastructure vulnerability whilst taking into 
consideration stakeholders within the system. This should not only be the goal of 
the exercise but also the goal of each member of the group and in turn the 
organisation. 



3.2.3 



CIIP-RAM Stage 13 - Instruct Group on the steps involved 
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The CIIP-RAM system is a methodology which is designed to be followed stage- 
by-stage. It is important that the group knows what each of the steps are, what they 
must do singularly and as a team to fulfil each step. Most critically, the maintenance 
of the culture change that the use of this methodology will likely invoke must be 
taken into consideration at this stage. Each group member should be given 
information on the process as well as step-by-step instructions on how to manage 
and execute the methodology. At the point where all group members have read and 
understood what the process will entail, group consensus should be reached with 
regard to any perceived problems or ambiguities. 



3.3 INTRODUCTION TO STAGE 2 OF CIIP-RAM 

This stage requires the committee to classify what sort of CII it is dependent on. 
An organisation makes use of an organisational CII that administers personal IIs 
whilst being reliant on a NIL At this stage the system boundaries (Vidalis and Blyth 
2002) should be mapped so as to understand where different LTM’s are required for 
different layers of II. The total Oil should be broken down into sections that can be 
defined, classified and analysed separately. This definition of infrastructure entities 
may include a mapping to the infrastructure, including its interfaces to other 
infrastructure within and outside of the organisation as well as the current security 
measures currently in place. Previous security incidents (if any) and the relevant 
countermeasures taken (if any) would also assist in the further steps in the model. It 
is important to remember that the focus of stage 2 is to derive the organisational CII 
and despite the use of PHs, Nils and Gils to derive the scope of the organisational 
CII these other IIs are not really important to the undertaking of the CIIP-RAM. 

3.4 CIIP-RAM Stage 2 - Define Critical Information 
Infrastructure 

Stage 2 of CIIP-RAM is described in detail within sections 3.4.1 - 3.4.5. 

3.4.1 CIIP-RAM Stage 2.1 - Define the Information Infrastructure 

The definition of the information infrastructure should be completed using two 
basic methods. Firstly, a diagrammatic depiction of the Information infrastructure 
should be derived, perhaps using UML or some other information-rich graphical 
representation. The diagram should show, to the greatest possible detail, systems, 
entities, links etc. The diagram should deal with multiple infrastructure levels from 
high-level (offices in London and New York) to low-level (computers linked in 
room x of building y via null modem cable). The depiction of these scenes helps in 
the understanding of networked infrastructure. 

It is also an extremely important part of this step to textually show relationships 
between network infrastructures. Once again this should focus across the width and 
breadth of the organisation and should be completed with as much detail as possible. 
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The completion of both the diagram and the written form will allow for the 
system implementation participation group to have a clear and detailed view of their 
organisational world. The group should review the two depictions and clear up 
ambiguities and imperfections before moving on to the next step. 

3.4.2 CIIP-RAM Stage 2.2 - Define the System Boundaries 

In defining the system boundaries the group must work toward understanding 
which infrastructural entities they do or do not own and control. Demarcation of the 
boundaries helps the group understand the scope of the information infrastructure 
they are working within. The group should then review the information 
infrastructure definition they have derived so as to exclude all infrastructure entities 
outside these new boundaries. 

3.4.3 CIIP-RAM Stage 2.3 - Define Manageable CII Sub-Systems 

At this stage the group will have a reasonable understanding of the 
infrastructural entities they must protect as well as a pre-existing knowledge of the 
organisational processes that are undertaken by them and their colleagues. The next 
task is to break down the newly defined information infrastructure into more 
manageable and critical subsystems. The splitting of these systems can be done in 
numerous ways but, the simplest ways are grouping by physical location (systems in 
London and New York become sub-systems) or by logical connection (payment 
systems and database systems become sub-systems) or a mixture of both. These 
newly derived sub-systems should be of manageable size. If this has not been 
reached then further division of systems shall be done by the group until this 
requirement is met. This information should be entered into the CIIP-RAM system 
step 2.3 as depicted in Figure 2. 
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Figure 2: Screenshot depicting CIIP-RAM System Step 2.3 
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3.4.4 CIIP-RAM Stage 2.4 - Breakdown Sub- Systems into 
Classifiable Infrastructure Entities 

Considering now the derived information infrastructure sub-systems, it is an 
important next process to further break down these systems into the entities that 
make up the system. In the case of this review an entity is defined as any 
infrastructural hardware device, information store, connection mechanism or person. 
These entities should be mapped out both textually (Figure 3) and diagrammatically 
as was completed in the previous step and using similar methods and syntax to show 
relationships. 
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Figure 3: Screenshot depicting CIIP-RAM System Step 2.4 



3.4.5 CIIP-RAM Stage 2.5 - Enter Information about Each Entity 

The entering of information captured within this phase is an important step in the 
infrastructure definition process. The major goal of this exercise is to capture the 
information that is currently known about the entity in question. The required 
information and a method for capturing that information is shown in Table 1. 

Table 1. An example of a classification table 



Classification Explanation 



Sub-System 




Entity 


Workstation 6 


Connections 


Payment Systems Support LAN via 
CAT5 cabling 


Security in Place 


Dumb terminal status, password access 


Past Security Problems 


(July 1997) Subversion of password 
controls 


Solutions Applied 


(July 1997) Changed password 













CUP -RAM - A Security Risk Analysis Methodology. . . 



41 



It is noticeable that the sub-system, Entity and connection fields have different 
colours applied to them. The blue depicts a subsystem name, red depicts an entity 
name and green depicts a connection mechanism. It is crucial that differences 
between these three are noted and marked in some way. Doing this makes the 
understanding of the model easier to derive information from at a later date. At the 
completion of this step the system implementation participation group should have a 
compiled list of entities and the information known about each. It is important that 
this information is conserved for use in further steps and also as a reference. 

3.5 INTRODUCTION TO STAGE 3 OF CIIP-RAM 

The third stage requires the completion of a vulnerability assessment which 
should include a thorough rundown of likely vulnerabilities within the organisation 
as a whole and also any known vulnerabilities within its connection scope to 
particular entities within the OIL A method of vulnerability assessment within the 
scope of electronic payment systems (EPS) named ‘Threat Assessment Model for 
EPS' (TAME) (O'Mahony et al. 1997) shows a loosely coupled decision loop that 
allows for on-the-fly adjustment to system threats and inputs and outputs (Vidalis 
and Blyth 2002). The steps involved in this system are useful; however it is 
important to know where an organisation is in the security process. The TAME 
system also focuses greatly on assessing threat which takes impetus away from 
finding vulnerabilities within the organisation. Concentration on threat as opposed 
to vulnerability can cause security weaknesses to go unnoticed as there may be a 
threat that can never be prepared for. If the organisation attempts to keep 
vulnerabilities to a minimum then it is not overly important to know the nature of 
the threat agent (Malone 2002). 

The new methodology takes into account the following contiguous stages: 

• Assessment Scope; 

• Scenario Construction and Modelling; 

• Vulnerability Analysis; 

• Evaluation. 

The stages consist of a number of steps which should be completed in turn so as 
to be easier to follow and keep track of. The concepts covered in the new 
methodology are similar to those discussed in the TAME system. 

3.6 CIIP-RAM Stage 3 - Complete Vulnerability 
Assessment on Infrastructure Levels 

CIIP-RAM's third stage is described in more detail in sections 3.6.1 - 3.6.4.2. 

3.6.1 CIIP-RAM Stage 3.1 - Prepare an Assessment Scope 

The preparation of an assessment scope is a two step process which consists of 
the completion of a Business Analysis and a Stakeholder Identification. 
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3.6.1.1 CIIP-RAM Stage 3.1.1 - Complete a Business Analysis 

A basic business analysis in accordance with (Nosworthy 2000) involves the 
process of business goal and business process identification. In addition to 
undertaking the basic business analysis the inclusion of an environmental analysis 
should also take place as a means of examining the environment within which the 
organisation exists. 

3.6.1.1.1 CIIP-RAM Stage 3.1.1. 1 - Identification of Business Goals 

The identification of business goals is of key importance in any risk analysis 
application as it allows the system implementation participation group to bring 
major issues requiring review to the forefront of the risk analysis (Forte 2000). The 
identification of the business goals can be determined by stakeholders of the 
organisation that is the subject of the analysis. 

3.6.1.1.2 CIIP-RAM Stage 3.1.1.2 - Identification of business processes 

With the identification of an organisation’s critical business processes we are 
able to bring to the surface more assets and vulnerabilities. A number of 
organisational primary and support processes could be identified (Johnson and 
Scholes 1999) at this time and should be updated as conditions and processes 
change. Depending on the size of the organisation under analysis three to eight 
organisational processes could be identified and should be noted. These processes 
can later be used as scenarios in the system modelling step. An in depth description 
of these processes should be produced. From these details the system 
implementation participation group will be in a position to identify and note more 
assets and vulnerabilities to add to the database. 

3.6.1.1.3 CIIP-RAM Stage 3.1.1.3 - Environmental Analysis 

The completion of an environmental analysis is based on Porter’s five forces 
approach of examining the business environment at the strategic level (Johnson and 
Scholes 1999). Three environments are identified as targets for this analysis, 
technical environment; business environment and; physical environment. 

The environmental analysis is a reasonably basic step which consists of breaking 
down the three environments mentioned via discussion and getting a feel for the 
organisations position with regards to each of the five forces in each of the 
organisational environments and noting down findings. This step will further help 
in the fleshing out of the issues affecting the organisation. 

3.6.1.2 CIIP-RAM Stage 3.1.2 - Identify Stakeholders 

Each infrastructure entity will have a set of stakeholders that can be questioned 
in an effort to define its function, nature and scope. There are three distinct classes 
of stakeholder within systems according to Sutcliffe (1988), The management 
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stakeholders; The user stakeholders and the development stakeholders. 

How ever customised stakeholder classifications can be used in each case. This 
would be dependent on the type of business the organisation is involved in. A list of 
each stakeholder should be constmcted and each entry on the list is required to give 
input on assets and vulnerabilities that they can identify. The invocation of 
infrastructure protection should be looked at as an entire-organisation initiative 
rather than a one person job for the computer security guru. In the current 
environment it is important that all stakeholders in an organisation form a 
formidable information infrastructure protection team ( Wood 1997). 

3.6.2 CIIP-RAM Stage 3.2 - Scenario Construction and Modelling 

Scenario construction and modeling is made up of the following steps; (1) Scenario 
Generation; (2) System Modeling; (3) Asset Identification. 

3.6.2.1 CIIP-RAM Stage 3.2.1 - Scenario Generation 

In this step the parties involved in the system implementation participation group 
are required to come up with a scenario involving the organisation and its use of the 
particular infrastructure entity under discussion. The parties that should be involved 
predominately at this step are the management of the company along with the 
stakeholders in cooperation with organisational security staff. The scenario should 
describe a real world application of the organisation. Risk assessment should be 
conducted with this, and similar, scenarios in mind. This step goes a long way 
toward helping all members of the system implementation participation group 
understand the nature of vulnerabilities across the organisation. Getting all 
members involved in the discussion of an area that is not necessarily within their 
jurisdiction can assist in the uncovering of widespread, endemic or multi- 
organisational vulnerabilities. 

Although probably not necessary at this stage, more assets and vulnerabilities 
are likely to be identified. The more a particular scenario is refined and understood 
the more likely the group is to continue to uncover hidden aspects and 
vulnerabilities of a system. In addition, because each stakeholder is constructing a 
scenario, all likely to be from differing standpoints, it would be difficult for the 
system implementation participation group to not uncover the majority of the issues 
regarding the system under review. These scenarios are then filtered for similarities 
to provide a less cluttered view of the reviewed system. 

3.6.2.2 CIIP-RAM Stage 3.2.2 - System Modelling 

This step involves the system as a whole being modeled. All its aspects, 
procedures resources and transactions will be analysed in great detail. The system 
implementation participation group should try and take a high level view of the 
system. The more complete and detailed the model is at the completion of this step, 
the more successful the further stages are likely to be. Once again, further issues, 
assets and vulnerabilities are expected to be identified. If these new found attributes 
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fall within the scope of the assessment they should then be included in the 
appropriate list. 

The method that the user will employ to model the CII of the organisation is to 
enter the names of each of the infrastructure components into the data collection 
mechanism and also mention connections that each infrastructure entity has with 
other entities in the system. With the group working toward this system 
comprehension it is unlikely that systems and entities will be overlooked. 

3.6.2.3 CIIP-RAM Stage 3.2.3 - Asset Identification 

The entries of the asset list, relevant to the scope under which we see the critical 
information infrastructure and its components, as well as the system procedures 
involved in the system transactions that we want to examine, should be included and 
denoted. The user should identify all examinable assets at this stage. Further assets 
will be identified during other steps. 

The assets uncovered at all stages up to this point should then be entered under 
the following categories in the asset table (Nosworthy 2000), Software, Hardware, 
Data, Administrative, Communications, Human Resources and Physical. It is not 
necessary for the table to contain all the asset categories. The selection and 
inclusion of categories is dependent on the scope of the CII. 

3.6.3 CIIP-RAM Stage 3.3 - Vulnerability Analysis 

The ‘CIIP-RAM Stage 3.3 - Vulnerability Analysis’ stage requires users to 
complete stages 3.3. 1-2 for each vulnerability. 

3.6.3.1 CIIP-RAM Stage 3.3.1 - Vulnerability Type Identification & 
Selection 

Vulnerability can be noted as a weakness in the security system that might be 
exploited to cause harm or loss (Pfleeger 1997). So with that we can safely say that 
a CII vulnerability is a weakness in a CII security system that might be exploited to 
cause harm or loss. This methodology will focus on the CII vulnerabilities. The 
vulnerability list structure put forward by Neumann (1995) is the method of 
reporting that will be used (Table 2). 



Table 2. An example excerpt from an entity-vulnerability list 



Entity 


Vulnerability 


1.4 - Web Server 


Software not up to date 


Virus signature file out of date 



With systems such as CIIs with so many aspects, variables and hierarchical 
levels it is important that we complete the step of vulnerability selection so as to 
make the methodology easier to follow and more usable. The completion of a 
vulnerability selection can help simplify and tailor the system so that it is more 
manageable. The user can select the vulnerabilities of one type e.g. web server 
vulnerabilities and tailor the system to deal with the focused problem. 
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However, this step could also be avoided entirely so as to give an extremely 
detailed look at the system from all points of view. The final vulnerability list needs 
to be combined with the entity list in order to get a matrix which depicts all the 
vulnerabilities for each entity. By doing this the user sets-up a link between entities, 
vulnerabilities and countermeasures. Within the computer-based CIIP-RAM 
management tool being developed currently, the procedure of linking the entities, 
vulnerabilities and countermeasures (Figure 4) will be automated to deal with 
complexity on-the-fly 
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Figure 4: Screenshot depicting automated data entry from the CIIP-RAM System 

3.6.3.2 CIIP-RAM Stage 3.3.2 - Vulnerability Complexity Analysis 

It is important that for each entity/vulnerability pair, a certain amount of analysis 
be done on how many levels of security a threat agent would need to go through to 
exploit a vulnerability. If multiple vulnerabilities need to be exploited before a 
particular database server is compromised then these vulnerabilities need to be 
broken down into their composite vulnerabilities. These 'new' vulnerabilities 
should then be fed back into the matrix for further assessment. 

3.6.4 CIIP-RAM Stage 3.4 - Evaluation 

The 'CIIP-RAM Stage 3.4 - Evaluation' stage requires users to complete stages 
3.4. 1-2 for each vulnerability. 

3.6.4.1 CIIP-RAM Stage 3.4.1 - Stakeholder Evaluation 

In this step the stakeholders of the Critical Information Infrastructure under 
discussion should review the outputs of all the other stages. As with any computing 
related system it is important to the success of the project for the developers to stay 
in close contact with the client (Pressman 2001). hi all cases the developers will be 
the system implementation participation group and the clients are representatives of 
the stakeholders of the CII under discussion. 

Entities and vulnerabilities are expected to be introduced, or excluded, not from 
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the model, but from further investigation from the current iteration of the system. 
Once an entity or vulnerability has been introduced to the system it is important that 
it not be taken out. Entities and vulnerabilities may, at the first iteration, seem 
trivial, however due to the dynamism of computing, they may come into play during 
a later iteration. 

3.6.4.2 CIIP-RAM Stage 3.4.2 - Vulnerability Statement Generation 

After the completion of the previous step in the methodology, the output will be 
a number of vulnerabilities related to an entity of a critical Information 
Infrastructure. In this step we will produce a final table which categorises entities, 
vulnerabilities and a list of associated countermeasure option/recommendations. As 
each infrastructure entity is denoted as critical it is important that each vulnerability 
is dealt with as though its exploitation could be fatal to the system infrastructure. 

3.7 INTRODUCTION TO STAGE 4 OF CIIP-RAM 

The final stage in this security risk analysis is to derive countermeasures for the 
vulnerabilities that were identified in the vulnerability assessment. These 
countermeasures should attempt to solve the security problem being faced whilst 
also attempting to maintain a reasonable degree of subjective cost benefit. The 
derivation of countermeasures can be done in many ways including the concurrent 
application of bug fixes, patching, staff training new software solutions etc. 

The formal presentation of these countermeasures should be delivered as shown 
in table 3 in the instance of each vulnerability: 



Table 3. Basic example of a countermeasures table 



Vulnerability 


Derived Countermeasures 


Apache Server security hole 


Install and correctly configure firewall 
to assist halting of DOS attacks 



3.8 CIIP-RAM Stage 4 - Derive, Apply and Analyse 
Countermeasures 

Based on the recommendations put forward as an output from the previous stage the 
system implementation participation group should at this stage research the 
countermeasure solution space. The group should provide a selection of a finite list 
of possible countermeasures and should work toward an efficient solution to the 
problem. 

From the short list of solutions provided as output from the previous task, a 
counter measure should be derived and formally described so as to provide a non- 
ambiguous process of countermeasure application. 

Users then apply the countermeasure that is the output from the previous task in a 
correct, thorough and compatible manner. It is important that the informing and 
training of staff that are required to deal with the newly implemented 
countermeasure be completed in an efficient and thorough manner also. 
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After an agreed upon period of time after the application of the countermeasure it 
is extremely important to complete an analysis of the applied countermeasure. This 
analysis should include: 

• Testing of the functionality of the system post-implementation; 

• Mock exploitation of the originally perceived vulnerability in the post- 
countermeasure environment; 

• User training comprehension of the new environment. 

These three analyses sequences respectively should ensure that the system: 

• Still does the job it designed to do in light of the newly applied 
countermeasures ; 

• Is more robust in a security sense post-implementation and; 

• Is fully understood by the users of the system. 

4. FUTURE RESEARCH 

The major direction of this research at the current point is to derive a web-enabled 
version of CIIP-RAM which can be put into place to allow the security risk analysis 
process to be undertaken in an online environment. This product would allow for a 
more easily workable and hence more efficient final methodology. 

5. CONCLUSIONS 

CIIP-RAM is a move toward dealing with scalability issues that have meant that RA 
was not immediately adaptable to information warfare and other infoimation 
infrastructure protection requirements. This methodology would prove to be helpful 
to organisations with mid-level infrastructure such as an organisational infoimation 
infrastructure if undertaken in solitude however the true benefits of this 
methodology would be seen if it was put into practice by higher level infrastructure 
stakeholders. This uptake by higher-level infrastructure would lead to higher 
dependability and reliability being built into infrastructure system from the outset. 
Information warfare needs a unique security methodology that is useful at dealing 
with all the previous concerns that Computer Security and Information Security 
dealt with along with the ability to be adaptable and scalable also. When 
researching existing methodologies, logical transformation models proved to be a 
suitable method for coping with adaptability issues. The scalability issues are dealt 
with through the application of multiple layers of LTMs. Cost evaluation has been 
found to be an outdated function when analysing IW risks, LTMs have the added 
feature of being solution-oriented and independent of any cost evaluation 
procedures. 
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Abstract: Many security incidents involve legitimate users who misuse their existing 

privileges, such that they have the system-level right to perform an action, but 
not the moral right to do so. Current Intrusion Detection Systems (IDSs) are 
ineffective in this context, because they do not have knowledge of user 
responsibilities, normal working scope of a user for a relevant position, or the 
separation of duties that should be enforced. This paper considers examples of 
the forms that misuse may take within typical applications, and then outlines a 
novel framework to address the problem of insider misuse monitoring. The 
approach argues that users with similar roles and responsibilities will exhibit 
similar behaviour within the system, enabling any activity that deviates from 
the normal profile to be flagged for further examination. The system utilises 
established access control principles for defining user roles, and the 
relationships between them, and proposes a misuse monitoring agent that will 
police application-level activities for signs of unauthorised behaviour. 

Key words: Misuse Detection. Insider Misuse, Intrusion Detection, Role-based 

Monitoring. 



1. INTRODUCTION 

The need for information security is increasing as organizations depend 
on IT infrastructures for the smooth functioning of their businesses. While 
the media has highlighted the threat brought about by external intmders and 
viruses, it has not promoted the awareness of the threat to the organization’s 
IT infrastructure from its own employees. In reality, however, insiders are 
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very often the cause of the most significant and costly security incidents, and 
a significant proportion of cybercrime can be attributed to them. 

This paper examines the problem of insider misuse, and outlines a 
framework for monitoring of user activity in order to detect potential misuse. 
The literature review section examines the scale of insider misuse and 
explains why current Intrusion Detection Systems are unable to detect some 
of the insider misuses, particularly improper data access and fraud. In the 
methods section, the common forms of application-level misuse are listed, 
and the abuse of features within database applications is analysed as a more 
specific example. The detection strategies employed by current intrusion 
detection systems are evaluated, and the requirements for effective inside 
misuse monitoring are identified. The results section presents a conceptual 
framework that would allow role-based monitoring of insider misuse. This 
framework would allow the detection of users violating the principle of least 
privileges and separation of duties. 



2. INSIDER MISUSE AND DETECTION ISSUES 

Examining computer crime literature and surveys dating up to the mid- 
90s, suggests that the main threat was to be found from one’s own staff (with 
as much as 80% of computer crime believed to be the result of insider 
activity ). For example, in discussing the findings of the 1995 survey from 
the Computer Security Institute (CSI), Power (1995, p.5) observes that “the 
greatest threat comes from inside your own organisation”. Although more 
recent years have revealed a different picture in terms of the incident 
proportions (e.g. by 2002, the CSI results reported that, for the fifth year 
running, more respondents had cited their Internet connection as a frequent 
point of attack (74%), than had cited internal systems (33%) (Power, 2002)), 
the financial impact of insider incidents is still clearly greater. Table 1 
presents the figures from these CSI/FBI surveys, and compares the dollar 
amount lost due to outsider attacks to that of insider net abuse and 
unauthorised insider access. The figures relating to insider abuse of network 
access clearly suggest that, as well as bringing considerable advantages in 
terms of web and email communication, Internet access has also ushered in a 
whole range of new problems. This can be further evidenced by a survey of 
544 human resources managers, conducted in 2002 and targeting large UK 
companies (i.e. employing an average of 2,500 people). The results revealed 
that almost a quarter (23%) had felt obliged to dismiss employees in relation 
to Internet misconduct (with the vast majority of these cases - 69% - being 
linked to the downloading of pornographic materials) (Theregister, 2002). 
Many other cases resulted in less severe courses of action, such as verbal 
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warnings or a discreet word in the ear of the person concerned, and in total 
the results indicated that 72% of respondents had encountered Internet 
misuse in some form. 



Table 1. Annual losses for selected incidents from CSI/FBI surveys 



Year 


System penetration 
by outsider 


Insider abuse of Net 
access 


Unauthorised insider 
acess 


1998 


$1,637,000 


$3,720,000 


$50,565,000 


1999 


$2,885,000 


$7,576,000 


$3,567,000 


2000 


$7,104,000 


$27,984,740 


$22,554,500 


2001 


$19,066,600 


$35,001,650 


$6,064,000 


2002 


$13,055,000 


$50,099,000 


$4,503,000 


2003 


$2,754,400 


$11,767,200 


$406,300 


Total 


$46,502,000 


$136,148,590 


$87,659,800 



The main difference between insider misuse and outsider attacks is that 
the insiders have legitimate access to the system and resources, but abuse 
their privileges by using the resources in an inappropriate manner or for an 
unapproved purpose. Anderson (1980) classifies such users as ‘misfeasors’. 
The fact that insiders are already within the organisation often puts them in 
an ideal position to misuse a system if they are inclined to do so, as they 
have insight knowledge of what security mechanisms are employed and how 
to evade detection. Current Intrusion Detection Systems (IDS) are geared 
towards detecting attacks by outsiders, as well as insiders who employ the 
same methods to mount an attack. The types of attacks the IDS can detect 
depend on the type of data collected for analysis. The data for intrusion 
analysis can be collected at three varying levels of the IT systems, i.e. 
Network, Host OS, and application (Phyo and Furnell, 2003). Different types 
of misuse can manifest themselves at varying levels within the system. 
Therefore the data needs to be collected at the appropriate level in order to 
detect various types of misuses. Many of the currently available intrusion 
detection systems are Network-based (Roesch, 1999; Paxson, 1998), and 
Host-based (Anderson et al., 1994; Lindqvist and Porras, 2001). Previously 
mentioned IDSs can detect network penetrations, exploitation of network 
protocols, and anomalous process behaviour. However, insiders may not 
need to exploit network protocols or system vulnerabilities in these ways 
because they already have legitimate access to it (Audit Commission, 1990). 
In reality many security incidents involve legitimate users abusing their 
existing privileges, such that they have the system-level right to perform an 
action, but not the moral right to do so. This is especially true in database 
applications as database management systems are rich in functionality and 
varying classes of users can manipulate the data in many different ways. One 
of the main problems of insider misuse is the improper access of data within 
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databases, which can result in data theft, breach of privacy, fraud, and 
compromised data integrity. Database level misuses can have severe impact 
on the organisation as many businesses employ database systems for record 
management, accounting, trading, business analysis and strategic planning. 
The authors have identified two notable approaches amongst previous work 
that detect anomalous behaviour at the application level. The first of these, 
DIDAFIT (Detecting Database Intrusions Through Fingerprinting 
Transactions), monitors anomalous SQL queries by generating fingerprints 
of authorised queries (Low et al, 2002). These fingerprints are sequences of 
SQL queries, along with variables that the users should not change, ensuring 
that the queries are executed in proper order and only on the restricted range 
of records. Another example is (Detection of Misuse In Database Systems) 
DEMIDS (Chung, Gertz, and Levitt, 1999), which attempts to profile 
working scopes based on user access patterns in relational databases, and 
assumes that a user will not typically access all attributes and data in a 
database schema. Therefore user access patterns will form some working 
scopes, which are sets of attributes usually referenced together with some 
values. Based upon this assumption, Chung et al. (1999) defined the notion 
of a distance measure between sets of attributes that consider both the 
structure of the data and user behaviour. This notion is then used to guide the 
search for regular patterns that describe user behaviour in a relational 
database. However, to be able to detect, data theft and potential occurrence 
of fraud in complex transaction/trading systems, the detection system also 
needs to have the knowledge of user responsibilities, work patterns, 
separation of duties and organisation hierarchy. Knowledge of job positions 
and segregation of duties are important as the opportunity for misuse arises 
when the individual is in a position of trust and the controls are weak. Many 
of the misuses in Audit Commission (1990) survey are the result of lack of 
application level controls and proper segregation of duties. Therefore, there 
is a need to provide the detection system with knowledge of required 
separation of duties, business processes, and working scope in order to 
enable more effective monitoring. 



3. OPPORTUNITIES FOR APPLICATION-LEVEL 
MISUSE 

Commercial applications include more features than the users may 
actually need to perform the task, and such features may sometimes be 
misused. In feature rich applications where users of varying responsibilities 
may access different features and the mechanism to control access to the 
features may not be present. Again, some of the features may not be easily 
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disabled. Therefore, the detection system needs to monitor the 
features/functionality accessed by each user. In order to be able to prevent 
and monitor insider misuse, the nature of potential misuses must firstly be 
identified and analysed. This section analyses how features in common 
applications can be misused, and suggests a functional classification. Table 2 
list the possible misuses with regard to the type of application commonly 
available on most computers, with the right-hand column indicating the 
means by which misuse would be achieved (Portilla, 2003). 



Table 2. Misuse of typical application features 



LEGITIMATE ACTION 


MISUSE 


Client/Server Applications 
Message Exchange 


Unusual exchange of messages hat degrades 
performance 


Connectivity to Server 


Exceeding possible number of connections to 
cause a denial of service 


Execution of Tasks 


Executing privileged procedures 


Word Processors 
Writing a Document 


Insertion of illegal content 
Insertion of malicious code 


Mail Clients 

Sending and receiving emails 


Distribution of illegal content 
Setting up remote attack 
Private use/gain 
Spamming 


Browsers 

Browsing the Internet 


Access to illegal content 


Access to cached files and history 


Displaying other user’s view files and 
previous accesses 


Programming tools 
Developing programs 


Creation of malware 


Debugging 


Access to memory segments containing 
sensitive data 


Genera] purpose applications 
Input to programs 


Buffer overflow for elevation of privileges 
Buffer overflow for cod execution 
Buffer overflow for denial of service 


Database Applications 
Data access 


Anomalous browsing of database 
Inference attacks 

Inappropriate modification of data 



Despite controls established in databases, authorised users may misuse 
their legitimate privileges. Possible misuses associated with legitimate 
visualisation rights are: 
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• Data aggregation: users could try to collect information about one or 
more individuals, transactions or products for different purposes. 

• Displaying data in an improper way (conditioned or sorted): when 
information is not displayed in a manner that exclusively serves the 
purpose of the database system, it can provide additional 
information and capabilities. For example, displaying a telephone 
directory sorted by number. 

• Retrieval of a large amount of data: users could attempt a partial 
reconstruction of the database by retrieving a large amount of 
information. This reconstruction could possibly provide more 
operations over the data that were initially restricted. 

• Discovering the existence of restricted information: unsuccessful 
attempts to display restricted fields could allow users to identify 
records with sensitive information or to guess part of them. 

• Inference: Data within a database is semantically related. Therefore, 
sometimes users can come to know an unknown value without 
accessing it directly by inferring it from known values. 

Misuses associated with legitimate creation and modification rights are: 

• Deliberate insertion of false data: users can insert erroneous content 
in the database in order to damage its integrity or to corrupt the 
supported procedures. 

• Misuse of coherence mechanisms: users can exploit mechanisms 
that check for coherence and compatibility of related values in the 
database. They may be able to discover the structure of the database, 
by displaying error messages when attempting to perform a writing 
operation. Besides, inserting false information into particular fields 
might be used to change the values of initially restricted fields. 

Considering the list of potential misuses listed in the table, it is possible 
that appropriate controls could be used to prevent some of them, but even 
these will not be sufficient for all contexts (consider, for instance, the case in 
which the misfeasor has legitimate access to the payroll database, but 
modifies records to raise his own salary). In this example, even though the 
user has the system right to modify the data, it should require someone else 
to authorise the modification. Many of the insider misuse cases in Audit 
Commission surveys are a result of lack of separation of duties and 
application level control (Audit Commission, 1990). Therefore, insider 
misuse is not only a technical problem, but also a managerial problem, 
because in some cases it is the improper segregation of duties that presented 
the problem. One of the main problems of insider misuse is the improper 
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access of data in database environments, which can result in data theft, 
breach of privacy, fraud, and compromise of data integrity, depending on the 
motive of the perpetrator. 



4. A COMPARISON OF DETECTION STRATEGIES 

IDS employ two main strategies to identify attacks, namely misuse-based 
and anomaly-based detection (Amoroso, 1999), and it is possible to see how 
each of these could be applied to the insider problem. 

Misuse-based detection. This approach relies upon knowing or 
predicting the incident that the system is to detect. Intrusions are specified 
as attack signatures, which can then be matched to current activity using a 
mle-based approach. A similar approach could potentially be incorporated 
for misfeasor incidents, based upon those methods that employees have been 
known to exploit in the past, or those that can be anticipated they would 
attempt based upon the privileges and resources available to them. For 
example, at a conceptual level, one such misuse signature might relate to a 
user who is identified as attempting to modify a record about him/her in a 
database. The rule here is that no one should modify their own records 
without someone else’s authorisation. The problem with applying misuse- 
based detection to insider misuse is that the possible misuse scenarios for 
insiders are wide ranging and could be extremely organisation-specific. Thus 
it would be difficult to catalogue them all. Misuse-based detection is only as 
good as the database of signatures it relies upon for detection. Therefore, the 
database would need to be updated constantly to detect new attack methods. 
This approach would not be suitable for insider misuse detection as it would 
be too time-consuming in person-hours to create misuse signatures for all 
possible scenarios and to continually keep them updated. 

Anomaly-based detection. This approach relies upon watching out for 
things that do not look normal when compared to typical user activities 
within the system. In standard IDS, the principle is that any event that 
appears abnormal might be indicative of a security breach having occurred 
or being in progress. The assessment of abnormality is based upon a 
comparison of current activity against a historical profile of behaviour that 
has been established over time (Anderson et ai, 1994). One advantage 
insider misuse detection system has over outsider attacks is that it is possible 
to characterise normal activities of insiders according to their job position, as 
users with the same responsibilities should exhibit si mi lar activities within 
the system and application environment to complete their daily tasks. The 
similarities may be profiled to represent normal behaviour for users with the 
same responsibilities, and different profiles for different job positions. If the 
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user’s behaviour deviates from the normal profile that represents his 
position, the activity should be flagged as suspicious. An example would be 
monitoring frequency of access to certain databases can lead to the detection 
of in insider who browses the database for personal use. Examples of such 
databases are medical records, and criminal records. 

The concept of applying the techniques for the detection of misfeasor 
activity makes the task more difficult, because we are dealing with 
legitimate users who are not violating system level access controls. From a 
misuse-based detection perspective, it is more difficult to identify the ways 
in which an insider might misuse the resources to which they have legitimate 
access, while from an anomaly detection perspective the level of behaviour 
profiling would need to be more precise and comprehensive. When basing 
the assessment upon a comparison against their behaviour profile, a 
legitimate user misbehaving will almost certainly be more difficult to 
identify than a total impostor who is masquerading under the legitimate 
user’s identity, because it is more likely that the impostor’s behaviour would 
deviate by a larger margin, whereas conversely the deviation is likely to be 
minimal for a legitimate user who abuses existing privileges. In addition, in 
an adaptive system, the process of profile refinement might be exploited by 
wily misfeasors who gradually train the system to accept misuse behaviour 
as normal. Again, when users change positions within the organisation, their 
behaviour would change to reflect the new responsibilities assigned. A 
potential solution to counter the exploitation of profile refinement, and 
improve profile management is to profile common user behaviour based on 
the role the user takes up within the organisation. Another advantage of role- 
based profile comparison is that when the users of a particular role are 
assigned special assignments, the sudden change of user profile may not be 
considered anomalous, if the changes are similar for all users within the 
same role. Individual user profiles can be complemented, such that activities 
associated with job responsibilities are stored in the role profile and the rest 
in individual user profiles. 



5. KNOWLEDGE OF SEPARATION OF DUTIES 

Another problem associated with insider misuse detection is that current 
IDSs lack the necessary knowledge of business processes, organisation 
hierarchy, separation of duties, and the role of the users within the 
organisation structure. This knowledge needs to be expressed in the form 
that is understandable to the detection system, if effective misfeasor 
monitoring is to take place. Role management principles specified by 
(Gavrila and Barkley, 1998) are utilised in Role-Based Access Control 
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(RBAC) to support user role assignment, role relationships, constraints and 
assignable privileges. The idea of role-based access control was introduced 
by Ferraiolo and Khun (1992). While privileges are assigned directly to 
users in Discretionary and Mandatory Access Control methods, assignment 
of privileges is a two stage process in RBAC. Privileges are assigned to roles 
and the users are assigned to roles, subsequently the user inherits the 
privileges assigned to the role. A role can be thought as a collection of 
operations required to complete the daily tasks of a user. This approach 
simplifies the task of assigning permissions to the user, as the roles for 
appropriate job functions are created with the least privileges required to 
complete the relevant tasks and the users are assigned to the role that reflects 
their responsibilities. Users can be assigned from one role to another, or 
assigned multiple roles, and permissions can be assigned at role-level to 
affect all users associated with the role. This use of roles is similar to the use 
of groups in Discretionary Access Controls (DAC). The main focus of 
RBAC is to maintain the integrity of the information by defining who can 
perform what operations on which set of data. The type of operations and 
objects that can be controlled by RBAC is dependant upon the environment 
and the level at which it has been implemented. For example, at the OS 
level, RBAC may be able to control read, write, and execute; within 
database management systems controlled operations may include insert, 
delete, append, and update; within transaction management systems, 
operations would take the form that express the properties of a transaction. 
The term transaction here means a combination of operation and the data 
item affected by the operation. Therefore, a transaction can be thought of as 
an operation perfomied on a set of associated data items. The ability to 
control specific transactions, rather than restricting simple read and write 
operations are very important in database environments. For example, a 
clerk may be able to initiate a transaction and the supervisor may be able to 
correct the completed transactions, for which both users need read and write 
access to the same fields in the transaction file. However, the actual 
procedures for the operations and the values entered may be different. 
Meanwhile, the clerk may not be allowed to correct the completed 
transactions and the supervisor may not be allowed to initiate the 
transactions. The problem is that determining whether the data has been 
modified in the authorised manner, for it can be as complex as the actual 
procedures that modified the data. This is where SQL fingerprinting 
techniques utilised in DIDAFIT can be employed. However, transactions 
need to be certified and classified before associating them with the roles. To 
characterise the required transactions for a role, duties and responsibilities of 
the users need to be specified first. 
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The most interesting feature of RBAC is the ability to define 
relationships between roles and enforce separation of duties. In RBAC, 
separation of duties can be applied by specifying mutually exclusive roles, 
and allow administrators to regulate who can perform what actions, when, 
from where, in what order and sometimes under what circumstances. Access 
controls only allow or deny access to certain resources, however there is a 
need to monitor and analyse the user actions after the access has been gained 
and the operations had been carried out. In theory the idea of roles and role- 
management principles can be applied to misfeasor monitoring. Instead of 
allowing or denying operations to be performed, common user operations 
can be associated with roles, and the users can be assigned to appropriate 
roles. If the user’s operations deviate from the common profile, a thorough 
investigation can be carried out to clarify if the user has misused the system 
in an inappropriate manner or for unapproved purpose. 



6. PROPOSING A FRAMEWORK FOR MISUSE 
MONITORING 

It has been mentioned previously that anomaly detection is more suitable 
for insider misuse detection, because employees’ normal behaviour can be 
profiled. It is assumed that the users with the same responsibilities within the 
organisation will exhibit similar activities within the system, and their 
working-scopes may be established. The idea of establishing working-scopes 
for users with same responsibilities has been tested in relational database 
environments by Chung et al. (1999). However, in order to be able to detect 
violation of separation of duties, the detection system needs to be provided 
with the knowledge of organisation hierarchy and relationships between 
roles. RBAC utilises role-relationship management principles to define role- 
hierarchy and separation of duties. The authors’ proposed system combines 
the ability of RBAC to provide knowledge of role- relationships, with 
intrusion detection techniques to effectively detect users who abuse their 
existing privileges. 

Figure 1 presents the framework of the conceptual insider misuse 
detection system. Functional modules are explained in subsequent 
paragraphs. 

6.1 Management Functions 

All management functions, such as defining roles, characterisation of 
operations, association of operations to roles and user assignment to roles, 
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are carried out from the Management Console. The working scope of a user 
is defined by the operations associated with the role(s) the user assumes. 
Once the separation of duties between roles has been defined, it is expressed 
in the Role-Relations Matrix, such as inheritance, static separation of duties, 
and dynamic separation of duties. Static separation of duties occurs at the 
role level by specifying mutually exclusive roles. When the two roles are in 
static separation of duties, a user may not be assigned both roles. Dynamic 
separation of duties occurs at the operations level and the conditions can be 
that operations within dynamically separated roles are mutually excluded, 
disallowed to execute concurrently, or disallowed to be performed on the 
same set of data. 

When the two roles are in dynamic separation of duties, the user may not 
execute the operations that are mutually exclusive or on the same set of data. 
The relationships expressed in the Role -Relations Matrix are checked 
against the rules specified by (Gavrila and Barkley, 1998) for consistency. 




Figure 1. Conceptual Framework for Role-Based Monitoring of Insider Misuse 
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6.2 Host 

This is where the actual profiling of user(s) and the detection process 
takes place. Characteristics of each operation are stored in the Operations 
DB along with an appropriate name for each operation. The characteristics 
are dependent upon which level of the system they are being profiled at. 
Characteristics of the operations may be in the form of file access, sequence 
of system calls, SQL queries, API calls, User interactions, and Network 
access. Recording the characteristics of each operation is controlled from the 
Management Console. 

The profiling should be done at all three levels of the system namely: 
network, system, and application level. The Detection Engine checks the 
roles available to the active user, and next checks the RoleOperations table 
for the names of the operations available to the user. After this, the 
characteristics of the available operations from the Operations DB are 
compared to the current user actions. If current user actions do not match the 
characteristics of operations available to the user, the ad mi nistrator is 
alerted. This alert may indicate the user performing a totally new operation, 
or performing a valid operation in the Operation DB but is violating 
separation of duties because the operation is not listed under any roles the 
user may assume. 

The envisaged detection flow is as follows: 

1. Detection Engine gets the name of the user from the Client. Looks 
for the roles the user’s name is associated with, in the Role-User 
table. 

2. After acquiring the list of roles for the user, the Detection Engine 
looks for the names of the operations associated with each role in the 
Operations DB (Note: only names of the operations are associated 
with the Roles.) 

3. After acquiring the names of operations available to the user, the 
Detection Engine reads the characteristics of available operations 
from the Operations DB and they are compared against current user 
actions. 

4. If the current user action matches with the characteristics of 
operations available to the user, then the user is not in breach of 
static separation of duties. 

5. If OpA belongs to Role A, OpB belongs to RoleB, and Role A and 
RoleB are in dynamic separation of duties. Condition of the 
separation is checked to clarify whether the operations are: mutually 
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excluded; disallowed to execute concurrently; or disallowed to 
perform both operations on the same set of data. 

If the user violated the specified condition, the system security officer is 
alerted. In addition, the misuse rules employed in expert systems within 
traditional IDSs can also be included. These rules may then be associated 
with an operation, such as modifying the payroll database to increase one’s 
own wages. In this case, the process is as follows: If modification is 

performed on the payroll database, check that the employee ID of the user is 
not the same as that of the record being modified. (Note: This will require 
the inclusion of system user ID in the personnel records.) 



6.3 Client 

This is where the actual data is collected and transferred to the Host for 
analysis. The Clients can be network server systems or end-user 
workstations. The nature of the data collected may vary depending on the 
type of the Client. For example, mail logs can be collected from the mail 
server, user queries from the database server, and application logs from user 
workstations. The data to be collected is specified by the system 
ad mi nistrator from the Management Console. The collected data can then be 
refined to a standard format by the Communicator module before sending 
the data to the Host, so that data from heterogeneous Client systems is in a 
standard format. The Client may also have a Responder module to respond 
to detected incidents, and the appropriate response for each incident can be 
specified from the Management Console. For example, when a misuse is 
detected, the Responder may be configured to terminate the user session, 
revoke privileges, deny further access, alert the security officer, or terminate 
the anomalous process (Papadaki et al., 2003). 



7. DISCUSSION AND CONCLUSIONS 

Insiders pose a considerable threat and organisations need to give equal 
priority in detecting insider abuse as well as outsider attacks. Access controls 
only allow or deny access; however there is a need to monitor what the user 
does after gaining access to the system and objects. In order to effectively 
monitor privilege abuse, IDS require the knowledge of organisation 
hierarchy, managerial controls, responsibilities and working scopes of each 
user. The methods employed in RBAC to express knowledge of roles, 
organisation hierarchy, and separation of duties can be coupled with 
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intrusion detection techniques to detect users who abuse their existing 
privileges. This paper presented a framework for monitoring users who 
abuse their existing privileges. 

In order to be able to implement the system successfully, separation of 
duties would first need to be defined at the organisation level. Next, the 
responsibilities of the users need to be defined. Then it needs to be checked 
that the operations a user is allowed to perform would not lead to a 
successful misuse. All of these are more of a managerial (rather than 
technical) issue. However, these are not trivial and could require 
considerable amount of time and labour. Again, at a technical level, 
monitoring of user behaviour at application level may require modification 
of the software package if appropriate APIs are not included. 

The authors’ future research will focus on developing the proposed 
system and testing it against a variety of simulated insider misuses, such as 
data theft, fraud, net abuse, sabotage, and breach of privacy. 
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Abstract: Software fixes, patches and updates are issued periodically to extend the 

functional life cycle of software products. In order to facilitate the prompt 
notification, delivery, and installation of updates, the software industry has 
responded with update and patch management systems. Because of the 
proprietary nature of these systems, improvement efforts by academic 
researchers are greatly restricted. One solution to increasing our understanding 
of the underlying components and processes is architectural recovery. One 
contribution to recreating an architecture is the examination of design 
specification literature, such as patents. If a sizeable amount of similar and 
hopefully diverse patents can be examined, then some general conclusions 
about the components and processes of existing systems may be formulated. In 
this paper, we present an analytic framework consisting of a five-phase 
protocol taxonomy based on thirty-three software-based update and patch 
management system patents and patent applications. Furthermore, we present 
a decomposition of the security design provisions contained within the patent 
literature, and provide some general trends derived from the data. We suggest 
that this research may be used to improve the security services aspect of 
update and patch management system products. 

Key words: Architectural Recovery, Taxonomy, Patches, Updates, Patents, and Security 

Design Provisions. 



1. INTRODUCTION 

At the core of the maintenance phase of the software development life 
cycle are the issuance ofpatches (software fixes) and updates (a collection of 
fixes and improvements) to resolve system faults, flaws (bugs), and security 
holes in an attempt to extend the functional life of a software product. Due to 
the time and effort required to assess, locate, and acquire these updates, this 
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on-going effort is often delayed or over-looked by users and system 
administrators until some urgency or incident occurs that prompts a swift 
response. In recent years, software manufacturers have typically provided 
access to their product updates via the Internet (i.e. website, ftp, e-mail, 
bulletin boards and newsgroups). Interestingly, connectivity to the Internet 
has also created an additional burden to the issuance of updates and patches. 
The CERT Coordination Center maintains statistics on the number of 
vulnerabilities reported that can potentially be / have been exploited through 
malicious acts, virus infections, and self-replicating worms, among others. 
For the past three years, the vulnerabilities reported have continued to nearly 
double from the previous year. There were 1090 reported vulnerabilities 
reported in 2000, 2437 in 2001, and 4129 in 2002 [CE03]. The need for 
systematic notification, acquisition, and deployment of patches and updates 
has prompted the software industry to produce update and patch 
management systems. There are numerous producers and products of patch 
and update systems (see Table 1: Examples of Patch/Update System 
Products). 



Table 1: Examples of Patch/Update System Products 



Company Name 


Product 


BigFix Incorporated 


BigFix Patch Manager 


Bindview Corporation 


bv-Control 


Citadel Security Software 


Hercules 


ConfigureSoft 


Security Update Manager 


Ecora Corporation 


PatchMeister 


Gibraltar Software 


Everguard 


Harris Corporation 


STAT Scanner 


Hewlett-Packard 


Security Check Patch 


McAfee Security 


OilChangeOnline 


Microsoft Corporation 


Windows Update 


PatchLink Corporation 


Patchlink 


Ringmaster Software 
Corporation 


Ring Master 


Shavlik Technologies 


HFNetChkPro 


St. Bernard Software 


UpdateEXPERT 


Sun Microsystems 


Patch Management Module 



From a design and academic perspective, a primary problem emerges: 
How do we, as researchers, peel away the proprietary tendencies of 
organizations to hide the inner designs and processes of their products in 
order to better understand, communicate and hopefully improve the 
development of such systems? In the event that the original architectural 
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design literature is unavailable, one possible approach is to reverse engineer 
the architecture through the use of system code, views, and documentation 
[Ei98]. The authors of this paper propose a supplemental approach using the 
information disclosed by inventors in patents and patent application 
documents, and in particular when such resources are unavailable. 

In section two of this paper, the authors present a discussion on the 
contributions of a taxonomy towards reconstructing system architectures. In 
sections three and four, we present our patent search criteria, and provide a 
protocol phase taxonomy derived from 33 update and patch management 
system patents and patent applications. We then re-examine the patents for 
security design provisions by each phase of the taxonomy in section five, 
and present a discussion of the security design implications and limitations 
of our findings in section six. 



2. CONTRIBUTION OF A TAXONOMY 

Before a discussion on the significance of a taxonomy towards 
reconstructing software architectures may occur, some basic understandings 
of what comprises an architecture, and some of the issues in acquiring and 
documenting an architecture needs to occur. Shaw & Garlan (1996) state 
that: 

“The architecture of a software system defines that system in terms of 
computational components and interactions among those components. 
Components are such things as clients and servers, databases, filters, 
and layers in a hierarchical system. Interactions among components 
at this level of design can be simple and familiar. ” 

As academics attempting to conceptually improve on existing systems, 
poorly documented or non-existent architectures (in documented form) pose 
a significant problem. Even when architectures do exist, they may no longer 
be valid because many systems simply have evolved beyond their original 
documentation due to in-process design development, and maintenance of 
existing code to adapt to changing conditions [Ka99]. Thus, reverse 
engineering and decomposition of existing systems becomes essential. The 
process begins at the lowest level of abstraction with an examination of the 
product’s source code and documentation. These are used to develop a set of 
software views with the use of domain knowledge by the researcher. 
Combining all these elements, in theory, should lead the researcher to 
developing a set of architectural elements that will be used to formulate the 
system's architectural representation [Ei98]. 
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The discovery process of re-creating a software’s architecture involves an 
assembly of disparate sources of information by interpretive means. It is a 
very subjective process that may result in substantial variation from one 
researcher’s interpretation to another. Because the researcher’s interpretation 
is based on available information and the researcher’s own understanding of 
the subject matter, the process can be prone to error. It would, therefore, be 
reasoned that any additional contribution to clarifying the components or 
subsystems that comprise an architecture adds to the accuracy and 
consistency of its reconstruction. We propose that a taxonomy is a useful 
tool in architectural reconstruction, and creating a common reference point 
for researchers to improve existing products and processes. 

The American Heritage Dictionary (2000) defines “taxonomy” as “the 
science, laws, or principles of classification”; and the “division into ordered 
groups or categories” [JoOO]. The significance to architectural discovery 
provided by a taxonomy lies within the context of the ordered groups. The 
contributions provided by a taxonomy towards understanding an underlying 
architecture are: 

• Additional domain knowledge by which a researcher may interpret 
other aspects of accumulated design documentation and coding 
decomposition analysis [Ei98], 

• Provide a visual representation as to how the components detailed 
are organized [Ka99] [PaOO], 

• Explicitly/implicitly ask who, what, where, when, and how 
questions in order to provide abstractions to the corresponding 
categories of the taxonomy [So92], and 

• Provide a means for defining what data are to be searched for and 
recorded, as well as a means for a comparison between specimens 
[La94], 

In the following sections, we present our patent search criteria, the 
proposed, developed taxonomy, and apply the taxonomy phases to the 
security design provisions contained within the patent documents. 



3. SEARCH CRITERIA 

The original focus for this line of research was to add to our 
understanding of the fundamental design components and specifications that 
are predominant in the updating systems environment by providing a 
representative sample of global patents. Thus, our intention was to review 
the patent literature that represented complete, software-driven systems for 
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the puipose of studying the interconnecting processes. To be eligible for our 
review, the literature had to involve the update of operational and/or 
application code excluding firmware (i.e. not processors, modems, etc). The 
emphasis of the search was placed on “method of’ instead of “apparatus for” 
in order to reduce the amount of hardware dependence in the specification. 
Where appropriate, patent applications were also included. Lastly, due to the 
popularity of English regarding end-user targeted markets, and commercial 
development centres, our emphasis was placed on patents filed in English. 

The first step was to search the patent databases’ abstracts for 
occurrences of “patch”, “update”, “dissemination”, etc. in order to initially 
narrow the volume of potential systems. This initial step reduced the 
possible systems to approximately 2,000. After appraising the remaining 
abstracts, 100 patent and patent applications were selected for detailed 
examination by applying the search criteria. This process resulted in 24 
patents and 9 patent applications from which we formulated a better 
understanding of the state-of-the-art in update and patch management 
systems. 

Because our goal is to develop a technological understanding of update 
and patch management systems, we examined only the descriptive matter 
and diagrams of each patent. We did not analyze the claims of any patent for 
their novelty, originality, or specificity. Such matters are of vital importance 
in legal proceedings, but were not a factor in our development of the 
taxonomy. 



4. TAXONOMY PHASES PRESENTED 

During the detailed examination of the patent documents, we discovered 
that the patents contained a sequence of communication steps for initiating a 
communication session, performing some exchange of information regarding 
updates, performing some determination as to the requirement to deliver an 
update, transporting the update, and initiating an installation. Within each of 
these protocol phases, there emerged distinct categories as to the means or 
methods to facilitate each phase. It is these phases and categories that we 
base the following taxonomy (see Table 2: Updating / Patch Management 
Systems Protocol Taxonomy). 
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Table 2: Updating / Patch Management Systems Protocol Taxonomy (5 sub-taxonomies) 





Activity Phase 






Patents (see references) 






Client 


User Defined 


19 


A2, A4a, A7a, A8a, A9a, PI, P2, P3, 
P7, P8a, P9, P12a, P13, P14, P15, P16, 
P20, P22a, P24a 




Contact 


System 

Defined 


19 


A4b, A5, A6, A7b, A8b, A9b, P4, P5a, 
P6, P8b, P10, PI la, P12b, P17, P18, 
P21, P22b, P23, P24b 








User Defined 


2 


A3 a, PI lb 






Server 


System 

Defined 


6 


Al, A3b, A7c, A8c, P5b, P22c 






Integrated / 
Combined 


i 


P19 






Client to Server 


20 


A2, A4, A5, P2, P3, P4, P5, P7, P8, P9, 
P10, P12, P14, P15, P16, P17, P18, P20, 
P23, P24 




Selection 


Server to Client 


10 


A3, A6, A7, A8, A9, P6, Pll, P13, P21, 
P22 






Integrated / 
Combined 


2 


Al, P19 






No 




1 


PI 


Protocol 


Determination 


Index / Manifest / 
Table 


28 


Al, A2, A3, A4, A5, A6, A7, A8, A9, 
PI, P2, P3, P5, P6, P7, P9, Pll, P12, 
P13, P14, P15, P16, P18a, P19, P20, 
P21a, P22, P23 








3 


P10, P18b, P21b 






Configuration 

Information 


4 


P4, P8, P17, P24 




Transport 


Client 


Pull 


25 


Ala, A2, A3a, A4, A5, A6, A7a, A8a, 
A9, PI, P4a, P6, P9, P10, Pll, P13, 
P14, P15, P16, P17, P18, P20a, P21a, 
P22a, P24a 




Server 


Push 


11 


P2, P3, P4b, P5, P7, P8, P12, P19, 
P20b, P21b, P23 






Reference 

Location 


6 


Alb, A3b, A7b, A8b, P22b, P24b 








Manual 


11 


Al, A2a, A5, A6a, Pla, P2a, P3a, P7a, 
P12a, P16a, P20a 




Installation 


Client 


User Enabled 


19 


A2b, A6b, A7a, A8a, Plb, P2b, P3b, 
P4a, P5a, P7b, P9, PI la, P12b, P13, 
P14, P15a, P16b, P19, P20b 






Automated 


13 


A2c, A3, A6c, A9, P5b, P6, P12c, P15b, 
P16c, P17, P20c, P21, P23 








User Enabled 


3 


P8a, PI lb, P24a 






Server 


Automated 


12 


A4, A 7b, A 8b, P2c, P3c, P4b, P7c, P8b, 
P10.P18.P22, P24b 



The above activity phases can best be thought of as answering the 
following questions: 
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• Contact: When is contact initiated and by whom? 

• Selection: Where is the exchanged information compared? 

• Determination: What is the basis for the determination of an update? 

• Transport: How is the update acquired? 

• Installation: Who has control of the installation? 

Within each phase, there are self-explanatory categories identifying the 
methods discussed in the patent literature. However, we would like to clarify 
several categories within the Contact, Selection and Determination phases. 
In the Contact and Selection phases, “Integrated / Combined” designates that 
the processes are a combination of communications and transfers of 
information between the client and the server (much more than a 
handshake). In the Determination phase, “Index / Manifest / Table” refers to 
a software data list that is used for comparison with a master list. “State 
Change” refers to the status-data of the software. When a given state change 
is detected between two systems (client/server), the master system (server) 
restores or updates the software of the servant (client) to the new state. 

It should be noted that within each patent there were variations and 
multiple embodiments of the claims presented. This allowed an inventor to 
assert variations on the approaches/methods claimed. Thus, in Table 2 there 
are multiple category entries within each phase for the same patent. For 
instance, patent P8 describes an embodiment in which a client permits the 
user to initiate the communication manually (P8a: user defined) or the client 
contacts the server on a timely/periodic basis (P8b: system defined). 



5. SECURITY PROVISIONS 

The term “secure” carries with it a multitude of subjective implications 
and exceptions. Before a software product can be identified as secure, the 
security objectives, i.e. “a statement of intent to counter identified threats 
and/or satisfy identified organization security policies and assumptions” 
[Co99], must be considered with regards to standard security fundamentals. 
Because these security objectives are either confidential, poorly documented 
or non-existent, we needed a way to examine each phase of the protocol 
taxonomy so that any security provisions contained within the design 
documentation (i.e. the patent) could be identified and classified. Our 
purpose was to facilitate the emergence of any potential design trends 
[PaOO], 
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Therefore, utilizing the The Open Group Architectural Framework 
(TOGAF) Security Services guidelines as a basis for considering any design 
considerations contained within the patents, we re-examined the 
documentation by each phase of the protocol. These guidelines are based on 
the Technical Architecture Framework for Information Management 
(TAFIM), developed by the US Department of Defence, and are used in the 
development of an IT architecture. The guidelines are outlined in Table 3. 



Table 3: TOGAF Security Services Guidelines [OpQ3] 



Service 


Criteria 


Identification 

and 

authentication 


Identification, accountability and audit of users and their actions 


Use of authentication and account data 


Protection of authentication data 


Active user status information 


Password authentication mechanisms 


System entry 
control 


Security-aware warning to unauthorized users 


Authentication of users 


Information about login attempts 


User initiated locking of a session 


Audit 


Authorized control and protection of the audit trail 


Recording of security-relevant events 


Audit trail control, management and inspection 


Access control 


Access control attributes for subjects and objects 


Enforcement of rules of access control attributes 


Enforcement of access controls 


Control of object creation and deletion, including reuse of objects 


Non-repudiation 


Proof that a user carried out an action, or sent or received some 
information, at a particular time 


Security 

management 


Secure system set-up and initialization 


Control of security policy parameters 


Management of user registration data and system resources 


Restrictions on the use of administrative functions 




Recovery facilities in ways that do not compromise security 
protection 


Encryption 


Ways of encoding data such that it can only be read by an 
appropriate key or other secret information 


Trusted 

communication 


A secure way for communicating parties to authenticate 
themselves without the risk of masquerading 


A secure way of generating and verifying check values for data 
integrity 


Data encipherment and decipherment 


A way to produce an irreversible hash of data for support of 
digital signature and non-repudiation functions 


Generation, derivation, distribution, storage, retrieval and 
deletion of cryptographic keys 



Each patent was re-examined with regards to the TOGAF security criteria 
(see Table 3). An allocation to an appropriate phase was assigned if the 






















Update/Patch Management Systems 



75 



patent provided some account of a security service or mechanism that 
matched at least one of the TOGAF Security Services’ qualifications. An 
example would be that at the installation phase, a given inventor states that a 
digital certificate would be included with the update file to ensure the file’s 
integrity and source of origin. The patent would be allocated to the non- 
repudiation and tmsted communication provisions of the installation phase. 
Table 4 summarizes the results. 

What we have attempted to provide is a classification of the assertions 
made in the body of patents and applications, with regards to any security 
design provisions that the inventor has proposed to include in their particular 
invention. What we have not provided in this research is any evaluation of 
the feasibility, reliability or efficiency of any of the specified mechanisms or 
systems. Such evaluations would be a fruitful, albeit difficult, subject for 
future research. 

Our analysis of the patent literature is summarized in Table 4. We 
observe that inventive activity has focused mostly on the provision of 
security in the installation phase (75 counts in Table 4), with relatively little 
attention being paid to the selection and determination phases (24 and 17 
counts). Frequent use was made of audit and trusted communication, but 
very little mention was made of security management and access control. 

Overall, the patents and applications take a reasoned approach to 
providing security in update and patch management systems. Even so, the 
empty cells in Table 4 reveal security provisions that are not discussed in the 
patent literature we reviewed, but which we believe must be addressed at 
some point in the development of a truly secure patch management system. 

• System Entry and Control Services, in the Deter mi nation phase (0 
counts). The patent literature reveals no provision for authenticating 
users or objects. This may become a problem if the data to be 
compared is encapsulated as an object. 

• Access Control, in the Transport phase (0 counts): no provision for 
privilege management. This function could be used as a push 
distribution point for malicious code in the same sense that viruses 
exploit E-mail address books to distribute themselves. 

• Non-Repudiation, in the Contact phase (0 counts): no proof of 
identity, even though transactions may be audited. In the 
Deter mi nation phase (0 counts): a lack of non-repudiation may be a 
limiting factor in secure deployments where it is important to 
establish proof of origin, original content, delivery, and/or original 
content received. 
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Table 4: Number of Patents with Various Security Provisions, by Phase 



33 Patents Total 


Activity 




Contact 


Selection 


Determination 


Transport 


Installation 


Security Provisions 


Identification 
and authentication 


12 (El) 


5(E2) 


2 (A4, P8) 


6(E3) 


8(E4) 


33 


System entry control 
services 


7(E5) 


1 (P8) 




1 (P21) 


2 (P8, P21) 


11 


Audit 


6 (E6) 


4(E7) 


4(E8) 


13 (E9) 


18 (E10) 


45 


Access control 


1(P8) 


2 (P8, P13) 


2 (P8, P13) 




3 (Ell) 


8 


Non-repudiation 




1(P8) 




2 (P13, PI 7) 


9(E12) 


12 


Security management 


2 (P8, P17) 


1(P8) 






4 (E13) 


m 


Trusted recovery 






1(P21) 


2 (P17, P21) 


17 (E14) 


20 


Encryption 


6 (El 5) 


4 (E16) 


3 (El 7) 


10 (E18) 


4 (E19) 


27 




6 (E20) 


6 (E21) 


5 (E22) 


12 (E23) 


10 (E24) 


39 


Total Counts 


40 


24 


17 


46 


75 


202 



Entries with more than 2 patents or applications 
El: A3, A7, A8, A9, P4, P5, P8, P10, PI 8, 



P21, P22, P24 
E2: P5, P8, P17, P21, P24 
E3: P2,P3,P5,P7,P8,P21 
E4: A7, A8, P8, P15, P16, P21, P22, P23 
E5: A7,A8,P4,P5,P8,P21,P22 
E6: A7, A8, P8, P10, PI 8, P22 
E7: A7,A8,P4,P22 
E8: A7,A8,P4,P22 

E9: A2, A7, A8, P5, P6, P9, P13, P14, P15, 
P16, P20, P21, P22 

E10: A2, A7, A8, P2, P3, P4, P5, P6, P7, P8, 
P9, P13, P14, P15, P16, P17, P20, P22 
Ell: P9, P13, P15 

E12: P8, P9, P13, P14, P15, P16, P17, P20, 
P23 



E13: P2, P3, P7.P16 

E14: A2, A7, A8, P2, P3, P6, P7, P8, P9, PI 1, 
P14, P15, P16, PI 7, P19, P20, P22 
E15: A7, A8, P8, P10, P18, P22 
E16: A2, P8, P10, P18 
E17: P10, P18, P21 

E18: A2, P5, P9, P10, P14, P15, P16, P18, 
P20, P21 

E19: A9, P10, P16, P21 
E20: A2,A7, A8, P8, P10, P18 
E21: A2, P8.P10, P13.P17.P18 
E22: Al, P10, P17, P18, P21 
E23: Al, P9, P10, P13, P14, P15, P16, P17, 
P18, P20, P21, P23 

E24: A7, A8, P10, P14, P15, P16, P17, P18, 
P22, P23 
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• Security Management, in the Determination (0 counts) and 
Transportation phases (0 counts): we interpret this as an 
insufficiency in requirements specification, rather than as a defect in 
design. These forms of security are easily provided by underlying 
network protocols and operating systems. 

• Trusted Recovery in the Contact (0 counts) and Selection phases (0 
counts): no secure method is proposed to authenticate, generate and 
verify integrity check values. We interpret this as another 
insufficiency in requirements specification, rather than in design. 

Our summary matrix (Table 4) can also be used to generate research 
questions. For instance, as noted above, we found no provision for non- 
repudiation in the contact phase. Two questions that come to mind are 
“Would there be any benefit to the server if the client initiated contact in a 
non-refutable manner?” and “Would there be any benefit to the client if the 
server initiated contact in a non-refutable manner?” We believe that the 
answers are “yes”, and that enquiry along these lines would lead to 
improvements in the design, requirements specification, and other 
documentation for update and patch management systems. 

A detailed examination or study of the subjectivity involved in 
conducting this research may be of value for establishing parameters for 
future academic research that attempts to draw conclusions about a 
technological field by examining the patent literature. 



6. SUMMARY 

In this paper, we have argued that taxonomies can be a valued 
contribution in the understanding and the reconstruction of system 
architectures, and that they may be effective in organizing system(s) design 
documentation. We developed an analytic framework for describing and 
characterizing update and patch management systems. The framework was 
developed from a consideration of the systems disclosed in the bodies of 
thirty-three (33) patents and patent applications. Our analytic framework has 
the following elements: a generalized update process, a decomposition of the 
update process into five (5) phases, several alternative methods for 
accomplishing each phase of the protocol, and a consideration of the security 
services that may be provided by each phase. We have established that when 
a taxonomy is combined with industry design specifications (our 5 phase 
protocol & TOGAF), useful trends may be inferred, and additional research 
questions may be developed for pursuing the improvement of system 
architectures [Co03]. 
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Abstract: Today’s society is extremely apprehensive and cautious regarding security 

attacks with the result that identification and authentication have become a 
necessity. Sectors such as healthcare, education and transportation all require 
robust identification solutions and Smart-cards can deliver these solutions. 
The memoty capacity and processing capabilities of the Smart-card make it 
vastly superior to competing technologies such as magnetic stripe cards, 
which are susceptible to such threats as ‘skimming’ and as a result are very 
insecure. Additionally, the data on the cards is often erased or corrupted by 
scratches or magnetic interferences. There are however many disadvantages to 
Smart-cards; such as the fact that both the cards and the infrastructure 
necessary can be costly. In order to be acknowledged as a standard and to 
enhance user acceptance of the cards, it requires a behavioural, on the part of 
the user, rather than technological change. 

To date previous research studies have focused on Smart-card failures. 
However, this paper investigates the introduction of this Smart technology 
into an educational setting. Therefore the factors that affect its acceptance and 
use as well as the issues facing organizations and universities in adopting the 
technology are investigated. The paper provides a comprehensive analysis of 
the findings of the case through an illustration of the factors identified in 
relevant literature and those identified in the study (see Table 1) as well as 
unforeseen behavioral issues from the users such as a mass student protest 
against the use of the card. 



Key words: Smart-card technology; innovation; user acceptance; security and education. 
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INTRODUCTION 

As the need for trust, authenticity and security in digital communications 
becomes ever greater, the case for robust identification solutions grows 
stronger [Katz et al, 2002]. This paper outlines how Smart-cards can deliver 
these solutions in an educational institution due to their inherent strengths 
focusing security among other factors. The benefits of the technology are 
discussed in the paper to explain why Smart-card technology is so an 
important for today’s ‘closed communities’ and organizations. The 
advantages and disadvantages of Smart-cards are outlined to highlight the 
benefits that they can provide, as well as the disadvantages that may be 
hindering their acceptance and use. The reasons for the introduction of 
Smart-card technology are outlined and security will be argued as a reason 
why Smart-cards are utilized, by discussing the risks and issues involved and 
why security is so important and necessary for varied forms of operations; 
from accessing a building to conducting a financial transaction. Therefore, 
encryption and the levels used to combat security issues or threats are 
discussed to highlight the potential of the Smart-card to combat these threats. 
Additionally, the paper briefly explains the security risks that exist in 
conjunction with the Smart-card to illustrate that while the technology is an 
intrinsically secure device [Urien, 2000], it is not one hundred percent 
secure [McGraw et al., 1999]. Innovation diffusion theory is discussed, as 
Smart-card technology is viewed as relatively new, and a model of some of 
the factors affecting the acceptance of an innovation is examined. The paper 
concludes that there is a need to research Smart-card technology and the 
factors necessary for its acceptance and use. It argues the validity of the 
technology as well as possible factors that may be slowing its acceptance. 



1. THEORETICAL FOUNDATION 

Moore (1994) believed that for an organization, innovation is any 
product, input, process, service or technology that the organization perceives 
as new. Truman et al, (2003) claimed that Smart-card technology fits this 
description of an innovation as it is new to most individuals and 
organizations despite the fact that it has existed, albeit in various familiar 
forms such as telephone call cards. A popular model to explain and predict 
rates of IT innovation adoption is the diffusion of innovation theory (DOI) 
[Rogers, 1995], which aids new IT implementations. Rogers (1995) defines 
diffusion of innovations (DOI) as the process “....by which an innovation is 
communicated through certain channels over time among the members of 
the social system”. The model identifies five essential characteristics that 
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enhance the rate and effectiveness of diffusion as follows: (1) relative 
advantage, (2) compatibility, (3) complexity, (4) trialability and (5) 
observability. The first characteristic is the relative advantage of the 
innovation over the idea it replaces, including economic profitability, 
convenience and/or other benefits. The innovation is more likely to be 
accepted if it is perceived as providing advantages [Hebert & Benbasat, 
1994]. The second characteristic is the compatibility of the innovation with 
the existing values, past experiences and needs of the adopters. People are 
more likely to adopt technology if it is functionally compatible to those 
previously adopted [Dearing et al., 1 994] and is consistent with the existing 
values, needs and past experiences of adopters [Rogers, 1995]. The third 
characteristic relates to the level of complexity or the ease with which an 
innovation can be understood. Finally, the fourth and fifth related 
characteristics are described as trial ability, or the degree to which adopters 
can implement an innovation, on an experimental basis and observability, or 
the extent to which results of an innovation are visible to others. Rogers’s 
theory found that these five factors were dependent on the specific nature of 
the innovation but also on the specific characteristics of the adopting group. 
The people who do not trust technology, for example, are generally older, 
less educated and earn low salaries [Punishill & Shevlin, 2001]. Research 
has shown that the perceived characteristics of an innovation are closely 
linked to adoption [Rogers, 1995], more so than the personal characteristics 
of the adopting group [Tomatzky & Klein, 1982]. 

The value of innovative applications is dependent upon the adoption and 
acceptance by the relevant parties involved [Plouffe et al., 2001] such as the 
party implementing it and the intended users because if one of the groups 
resisted, then it could threaten the introduction of the innovation. The 
benefits derived from increased usage of a technology, can be seen in the use 
of the telephone for example. If it was not used, then what would be the 
point of someone adopting it as the users would have no one to establish a 
connection with, but as more people used the technology, the benefits of 
adopting the technology (the Phone) continued to increase. Truman et al., 
(2003) use this argument when explaining that Smart-cards technology is 
suffering from a similar fate as the benefits gained from Smart-cards will 
increase as more users adopt the card. 



1.1 Smart-cards 

A Smart-card is a “...credit card sized conventional plastic card”, 
containing an embedded silicon computer chip (which can be a 
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non/programmable microprocessor) [Blakey & Saliba, 2000 ]. Di Giorgio 
(1998) describes it simply as a credit card with a ‘brain’, which allows a 
large amount of information to be stored, accessed and processed either on 
or offline [Choi et al., 1998]. Smart-cards are in fact differentiated by the 
type and size of integrated chip (IC) used by the manufacturer and the 
method of communication utilized to interact with Smart-card readers 
[Sorenson, 2001]. Smart-card technology has been in use since the early 
1990s but it is still considered a relatively new technology by retailers, 
consumers and users [Tinman et al., 2003]. It has many technological 
advantages over rival technologies, such as the magnetic stripe card, which 
includes: (1) security, (2) memory size, (3) portability, (4) convenience, (5) 
multiple applications, (6) cost savings and (7) micro-charging. 

(1) The Security component incorporated into the design of Smart-cards 
provides a secure means of physically carrying information as it 
protects against ‘....the illegal use of lost or stolen cards, manufacture 
of counterfeit cards, the manipulation of data and fraudulent use of the 
card’ [Newing, 1998]. Carrying Smart-cards are extremely secure 
through the use of multiple factor authentications [Perkins, 2002] so 
that both the card and a personal identification number (PIN) are 
required. This two factor authentication that the Smart-card possesses 
can considerably reduce fraud, ensuring the integrity and security of 
transactions, therefore saving millions [Wallis, 2002] for financial 
institutions. It can also be applied to the Internet where the security 
threats faced means identification and authentication are very important 
for trust [Pohlmann, 2001]. However, when used as a wallet Smart- 
cards are like cash in that if they are lost the cash on the card is gone 
forever [McGraw, 1998]. The self-containment of the card makes them 
tamper resistant [Lett et al., 2002]. Cryptographic algorithms can be 
stored locally in their internal circuitry, unlike the magnetic stripe cards, 
therefore protecting and retaining the users’ ‘secrets ’ [M’Raihi & Yung, 
2001 ], 

(2) Smart-cards provide a greater memory capacity than magnetic stripe 
cards which have a total storage of 125 bytes while the microchip on 
the Smart-card can hold large amounts of data ranging from 1 Kbps to 
64Kbps [Kapoor, 2002], One benefit of this is the ability to track 
customer spending records [Miller, 2002], The card can also physically 
separate data into a multi-partition file system, so that many 
applications can be safely run on a single Smart-card [Rastogi & Das, 
2002]. The extra memory can also allow them to utilize biometrics and 
encryption [Rastogi & Das, 2002]. 

(3) Smart-cards are portable, making the card and the credentials they 
carry, such as private keys, very manageable [Berney, 2000]. The extra 
layer of security that the card provides means that users are not limited 
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to a particular desktop computer [Coia, 2002]. However this user 
mobility is only possible if every machine that the user accesses has a 
Smart-card reader attached [Chadwick, 1999]. 

(4) Apart from the convenience added through their portability, smart-cards 
can also replace the various identification cards, notes and coins by 
combining them into a single card [Choi et al, 1998]. Smart-cards are 
ideal because of their convenience and ease-of-use [Lee et al., 2000] 
due to the use of a form (plastic card) that people are familiar with 
[Gemplus, 2003]. 

(5) The ability to handle multiple applications is one of the primary reasons 
for the cards growth. According to a study by Frost & Sullivan (2003), 

‘....smart-cards are the only token technology that provides multi- 
application capability coupled with a multi-function form factor that is 
virtually ubiquitous’ . Due to the processing power of smart-cards, the 
card is ideal to mix multiple functions, which can help organizations 
such as colleges or governments to manage and improve their 
operations at lower costs [Choi et al., 1998] and offer innovative 
services. The card allows companies to work with partners in other 
industries to provide complementary services and customers to enjoy 
more customised services that add convenience and ease of use. In fact, 
the interoperability or multi-application use is the way forward in terms 
of consumer acceptance [Alder, 2002]. 

(6) Smart-cards can have transaction cost savings over other stripe cards. 
When the card is read by an electronic reader the encryption devices 
validate and verify each other. The technology also allows transactions 
to be carried out off/online, eliminating the middleman as telephonic 
verification is no longer required for authorisation [Miller, 2002]. 
Smart-cards, unlike magnetic-stripe cards, can carry all necessary 
functions and information on the card and do not require access to 
remote databases at the time of the transaction [Coleman, 1998]. Smart- 
cards can also reduce labor costs by eliminating paper and therefore 
paper handling which is especially important in paper heavy industries 
such as healthcare [Choi et al., 1998] or education. 

(7) Smart-cards are ideal for micro-charging or payments such as small 
Internet purchases because cheques and credit cards are too expensive 
[Karppinen, 2000]. There is also a growing demand for an alternative to 
credit cards because children and young adults will not be able to gain 
access to the smart-card e-purse which can be used for micro-payments 
[Lee et al., 2000]. 

Essentially the technology, as outlined, offers numerous benefits to the 
different types of users. However as with every technology the Smart-card is 
susceptible to issues that affect user acceptance. 
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1.2 Disadvantages of Smart-card Technology 

Smart-cards, offer many incentives, however, the disadvantages arising 
from the technology must also be identified before its introduction into any 
environment. The following are some of the disadvantages of the 
technology: (1) cost, (2) privacy, (3) standardization, (4) consumer 
acceptance and critical mass and (5) multiple application issues. Each of the 
disadvantages identified are outlined in the next section: 

(7) To avail of the technology, organizations need to deploy readers, which 
add to the cost of deployment and also limits the use of the cards to 
locations where the infrastructure is ready and available [Armstrong, 
2001], Currently, there is a lack of infrastructure to support Smart-cards. 
This is one of the greatest disadvantages for merchants due to the 
expensive cost of replacing former equipment with smart-card-compliant 
terminals as well as additional operating expenses and the cost of training 
employees [Manchester, 1997]. Increasing numbers of vendors and 
manufacturers are entering the Smart-cards market, which will force 
prices down [Christensen et al., 2001]. 

(2) One factor that is causing concern is privacy, especially as a single smart- 
card holds considerable information about its user and can create an audit 
trail of their transactions resulting in the loss of anonymity that existed 
with cash transactions [Beverly et al., 2002]. The information it stores is 
usually already available in some format or another and the card merely 
makes that information portable, available and in the possession of the 
owner [Wood, 2002]. Credit card information, for example, already 
includes an enormous amount of customer data based on preferences and 
habits [Wood, 2002]. 

(3) Standardization is vital to the development and acceptability of Smart- 
card technology [Banerjee, 1997] because according to the emerging 
markets theories [Day & Fein, 2000] standard wars tend to slow down the 
diffusion of new technical innovations [Rogers, 1995]. Standardization 
and interoperability are crucial factors in achieving a critical mass of 
users [Papameletiou, 1 999] and if they do not exist, it acts as deterrents to 
expanded Smart-card deployment [Frost & Sullivan, 2003]. Due to the 
amount of Smart-card systems entering the market. Smart-cards 
interoperability is important because people do not want to carry more 
cards and have separate incompatible ways to use them [Mantyla, 2001]. 
It is also important for the Smart-card application developers so that they 
do not have to deal with a variety of different card terminals and 
operating system languages when developing their applications. Smart- 
card operating systems are extremely important because with open 
operating systems there is no dependence on a single manufacturer or 
application developer leading to a greater choice of manufacturers and 
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application developers [Chandak & Shah, 2001] cost reduction, 
processing capabilities and most importantly, interoperability [Moll, et 
al., 2001] as multiple applications can reside on the same card. 

(4) One of the biggest obstacles to the mass adoption of smart-cards is 
customer education. Most consumers do not know what they need or 
want until they actually have it [Wallis, 2002]. The use of a smart 
identification in organizations to provide access to both physical and 
digital resources will force employees to become accustomed to having 
their cards in their possession at all times. Education and advertising will 
be very important in changing people’s habits and expectations of this 
new technology [Truman et al, 2003]. 

(5) Smart-cards are flexible and therefore can be used for different 
applications [Pohlmann, 2001] but responsibility in the case of a problem 
(technical or legal) with a multifunctional card providing several 
applications from different services is a dilemma. The issue of control of 
the card and how it is managed will and does cause concern. 

Today, Smart-cards exist in one form or another in many different sectors 
and are a part of everyday life in areas such as banking, transportation, 
access and mobile communications. Smart-cards offer almost unlimited 
application possibilities and realise their true value when a single card 
handles multiple applications. There is a move towards the multi-application 
smart-card with the maturity of operating systems such as Java and Multos, 
and falling prices. According to Briney (2002), the multi-application 
capability of the smart-card is the single principal driver of its growth. 
Hovenga Fancher (1997) claims that the smart-cards will be a tool for 
addressing the ‘customer of one ’ with customisable generic cards eventually 
becoming available allowing the customer to choose from a menu of 
applications. The primary market or use of the card are communities or 
‘closed systems’, such as universities or the military. These communities 
generally tend to be successful [Truman et al., 2003] as people are affiliated 
with them and there tend to be discounts or a lack of alternatives. This paper 
therefore investigates the adoption of the technology in an educational 
setting. 



2. RESEARCH OBJECTIVE AND APPROACH 

The objective of this research was to investigate the adoption of Smart-card 
technology in an educational environment considering the factors which 
affect its acceptance and use. The objective required the researchers to gain 
an in-depth understanding of Smart-card technology focusing on how the 
cards are deployed and utilized in an academic setting. Due to the qualitative 
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and exploratory nature of this study, a single site case study was employed 
as the most appropriate research approach. Consequently, semi-structured 
interviews were conducted using a pre-constructed interview guide. The 
questions were prepared based on previous research in the area of Smart- 
card technology, the researchers found this approach to be adequately 
flexible, allowing the respondents to develop certain questions where 
necessary and to address areas that were not suggested in the guide but that 
they felt were pertinent to this research. 



3. BACKGROUND TO THE CASE- WIT 

Waterford Institute of Technology (WIT) is the sole provider of higher 
education in the South East region of Ireland, and has the highest number of 
third level students in the sector, with over 6,000 current full-time students 
and over 4,500 part-time students. The Auxiliary Services (AS) Committee 
at WIT controls all of the trading operations on campus with the aim of 
providing high quality non-academic services and facilities for the student 
population of WIT. Approximately seven and a half years ago, WIT made a 
decision to investigate the possibility of using Smart-cards for printing and 
photocopying due to the expense of paper handling. WIT initiated a research 
project where they researched the systems used in other colleges. For two 
years, WIT conducted onsite investigations and gathered research from other 
implementations in both American and European universities. WIT then 
created a final report with the best components from each University system 
that was suitable for an Irish environment. The college decided to employ 
their own team, and develop an in-house system. The photocopying and 
printing system was put in place two months later and the vending and point- 
of-sale over a period of two years. Currently, WIT has fifteen applications, 
running on their Smart-cards which the college developed in-house. 
Unfortunately there was not sufficient time to test the card initially as WIT 
were committed to introducing the card in September 1999, and also because 
the college felt it was very difficult to introduce it in a test situation 
primarily due to the fact that students would not take it seriously. Since then, 
any new application WIT introduces is accepted and implemented on a pilot 
basis. WIT succeeded in installing the entire project at no cost, sourcing 
finance and support from different sectors. A considerable benefit for the 
college was the introduction of the card for printing and photocopying as 
students had no other option but to use the card. When the college 
introduced vending and then point-of-sale in the restaurants, the students 
were already accustomed to the technology. 
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3.1 The WITCard 

The WITCard is one of twenty-six different services that the committee 
provides. It was introduced in September 1999, by AS, and it is the official 
identification card for both staff and students. It is a multifunctional card 
which has replaced all of the other cards in use by integrating various 
applications into one single card, namely the following: the library, college 
identification, printing, photocopying, point-of-sale, vending, access control 
and voice mail. The card allows cashless purchasing on campus where the 
card is used at any point-of-sale on the campus, such as the restaurants and 
campus shops. A bar code on the card is still used in the library to allow 
users to borrow books and journals. In the event of a charge for late return of 
books, the electronic purse can be used to make the appropriate payment. 
There is also an Internet Card Management System (Internet CMS), recently 
developed by WITCard Services, which allows the card holder to check their 
card balance, view and print statements of all transactions, deactivate their 
card, and change their password. 



3.2 Incentives for Use 

The college conducted a joint survey with Irish and British banks on the 
cost of handling cash. The results of the survey concluded that the cost was 
somewhere between twelve and fifteen percent. If a student or staff member 
uses their card on campus to buy items such as food or stationary, they will 
get a ten percent discount due to the reduction in the costs of handling cash. 
Therefore, the benefits from the savings are passed onto the card user in the 
form of discounts. The college has also received other huge savings such as 
labor costs and safety. The WIT library is also a cashless environment; the 
restaurant will not accept cash, only a card, eliminating problems with floats, 
or cash. Prior to the introduction of the WITCard, the college did not have 
many security systems in place. The card used by the college was just an 
identification card with a barcode printed on it. Essentially, there was no 
security and for safety reasons, students have much more faith carrying e- 
cash as opposed to carrying cash. The PIN feature of the WITCard is not 
used except when security is required. Currently, the only place the PIN on 
the chip is used in the college is for access control to campus residences, to 
protect against thieves accessing those residences with stolen cards. Even 
when purchasing, at the tills there is no PIN as the manual entry of the PIN 
slows down the queue. While the facility is there for the PIN the college has 
not used it and they do not see the need to use it because they have not 
encountered any breach of security. Security has become an increasingly 
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important issue for WIT and the college is using Smart-cards to deal with 
this issue. The Smart-cards is superior to the magnetic stripe in terms of 
security and makes students feel secure in the knowledge that user accounts 
will not be compromised and that students will not lose their money. 
Confidentiality, integrity, non-repudiation, and authentication are all key 
factors. At the moment WIT guarantee these factors as students are provided 
with back-office accounts. As EMV (a Europay, MasterCard, and Visa 
devised specification) develops and WIT incorporates an open electronic 
purse on the card and start using open payment systems such as lava cards, 
they will then have to utilize a very secure authentication system. 

An additional advantage to the university is the increased productivity of 
their staff. For example, one simple benefit at the moment is modernising the 
‘clocking-in' systems. There was a ‘Working Time Act’, introduced in 1997, 
which obliged all employers by law to record the time and attendance of 
their employees. The act was implemented to stop claims by employees that 
their health had been damaged when they were forced to work more than the 
statutory forty-eight hours a week. In September 2003, all of WIT's non- 
lecturing staff, using their WITCard to access facilities, will have their time 
and attendance recorded and held on record for three years. For the students, 
the WITCard is extremely easy to use as well as portable, which means that 
they are not limited to any single location with the card. Students also have 
fewer cards to carry around as the WITCard is multifunctional and has 
replaced all of their other cards by integrating the various applications onto 
one single card. There is also the ten percent discount that the students get 
for using the card instead of cash. The college also promotes the WITCard as 
much as possible, and students can win prizes such as televisions and 
bicycles, by using the card at a particular time. This marketing strategy was 
very popular with both the students and staff, as every time they used the 
card they had a better chance of winning a prize. 



3.3 Difficulties Encountered 

The cost of the implementation was a very important factor for WIT, 
however once the college decided on a Smart-card system, they worked on 
ways of raising money to fund the project. The college selected a system, 
that was robust, that would actually handle magnetic stripe and allow 
migration of applications from the magnetic stripe to the chip. If WIT had 
not planned the migration from magnetic stripe to chip from the start of the 
project, the whole system would have had to be rebuilt. A lot of similar 
projects failed because they did not plan at the early stages for this change in 
technology two or three years later. As research has shown standardization 
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is very important factor and WIT are currently working with colleges across 
Europe to develop standards for Universities and colleges so that there will 
be interoperability between them so that cards in one college should be able 
to work in another. The WITCard is compatible with standards such as 
common electronic purse specification (CEPS) and personal computer / 
Smart-cards (PC/SC) however these are not approved standards. There has 
to be an agreed standard under the International Standards Organization 
(ISO) which uses an accreditation system. 

Training was part of the initial rollout and was provided and managed by 
AS. Courses were provided for the operators of the tills, as well as for 
students and staff. Students were even employed to tutor training courses 
and promote the card within the student population. AS also produced and 
provided promotional videos and pamphlets describing the card system. The 
college was expecting that in the second year of the introduction they would 
encounter resistance because in the first year the card was new and the 
students would view it as a novelty. At WIT, as their research had shown 
them, it was in the second year when the card actually started to take hold 
that the college experienced resistance from a group of the students for a 
period of about three months. More than 6,000 students organised by the 
students union, boycotted lectures at WIT for a day, in protest against the 
use of the new card system. The resistance centred on the fact that the card 
was expected to be insecure. Students also presumed that college 
management were reading the information stored in the back-office system, 
such as: where students were eating and what they purchasing, which, 
according to the college was not the case. When implementing change, there 
is always going to be resistance but it is important to target the core services 
that students require. The college succeeded in reducing the cost of printing 
so students experienced a massive reduction. The discounts were part of the 
strategy to increase acceptance but a lot of students felt that the college was 
discriminating against a core student body by giving a ten percent discount 
for card use. Another reason for the resistance was due to the fact that WIT 
was the first college to implement this type of card in Ireland. Other colleges 
considering implementing the Smart-card systems will be able to see the key 
benefits of the technology and they will be able to avoid the problems 
encountered by WIT. There is a sense of prestige or image for students of 
WIT to have this card because the WITCard was the first chip student card 
and is currently unique in comparison to other institutes. Some of the initial 
resistance was also caused by students who were angry that the majority of 
transactions on-campus were card-based, resulting in long queues for the 
few remaining cash tills. The benefits of mixed cash as opposed to a non- 
cash system are not as high as there are still cash handling problems with the 
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mixed system. Currently, the WIT has fifty percent of all their money on 
campus in electronic cash (e-cash), and fifty percent of it in cash. WIT is 
expecting that within the next few years it will increase to between seventy 
and seventy five percent e-cash. The driving factor for the card at the 
moment is the ten percent discount. Students will actually use the card if 
they get a ten percent discount and plus the fact that a lot of the college’s 
operations at the moment, such as the sandwich bar, the new library, the 
campus bookshop, will not accept cash which means that every student or 
staff member at some stage has to use their card. The card is compulsory, in 
that it is a standard college identification (ID) card, therefore the card 
operates within a ‘closed environment’ effectively eliminating choice within 
the college and usability off-campus. 

WIT has an acceptance agreement with all of their cardholders (both 
students and staff), that the college will not release any information that is 
stored on the cards or in the back-office account without the cardholder’s 
written permission. The only exception to this is, if a student or staff 
member’s health is at risk. Access will only be issued when there is clear 
evidence that the health of a student is at risk, for example if the student was 
missing and the police wanted to see where the student last used the card. 
Initially, the students were protesting because it was felt that the card was an 
intrusion on their privacy and that the college was monitoring the users 
spending habits and deducting library fines automatically from the user 
accounts (which was the case) during the Summer. Under the conditions of 
the privacy agreement formed with the student body, WIT can not, if there is 
a fine outstanding in the library, deduct funds from users it is currently the 
responsibility of the library to enforce the payment of fines, not the card 
office (see Table 1 for a summary of the findings). 



Smart-Cards 


Educational Case: The WITCard 


Advantages 


Disadvantages 


Problems 

Encountered 


Benefits 

Derived 


Security: 
Multiple factor 
authentication 
[Armstrong, 2001; 
Lewis, 2002] 
Processing 
capabilities 
Self containment 
Tamper resistant 
[Lett et al., 2002], 


Privacy: 

Loses anonymity of 
cash 

[Beverly, 2002]. 


Cost: 

The cost of the 
system was 
important early on 
but WIT wanted 
the best system 
they could buy- 
raised finance and 
support from 
different sectors. 


Security: 
Fewer muggings 
of students. 

Less chance of 
robberies in 
college shops as 
there is no cash. 
Security is 
important and 
maanetic stripes 
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Access to memory 
controlled 
Lock-down 
[Lewis, 2002] 
Copy proof 
Gemplus, 2003] 
PKI [Bassett, 
2001] 




In house sy stem. 
Planning was very 
important in 
saving later 
expenses such as 
migration costs. 


can be ‘skimmed’ 
too easily. 

Pin only used for 
access to campus 
residences as 
PIN’s slow 
queues. 

Multiple 

applications only 
important where 
fraud is a problem. 


Memory Size: 
Greater than 
magnetic stripes 
[Rastogi & Das, 
2002] 

Allows multiple 
applications 
[Miller, 2002] 
Biometrics & 
Encryption 


Standardisation: 
Standards not well 
developed 
[Husemann, 2001], 
Standarisation and 
interoperability 
[Papameletiou, 
1999], 


Standardisation: 

WITCard is 
compatible with 
certain standards 
but there needs to 
be ISO accepted 
standards. 
Important to be 
EMV compliant. 
Modem chip 
obsolete by 2005. 


Cost savings: 
Reduction in the 
cost of handling 
cash - 12 to 15%. 
Students get a 
10% discount on 
all smart card 
purchases. 

Do not have to 
hire cash handling 
company. 


Portability: 

Size of a credit 
card 

[Pikrammenos, 

2002] 

Not limited to 
one location 
[Coia. 2002]. 


Consumer 
acceptance: 
Customer education 
Education and 
advertising 
[Truman et al., 
2003]. 


Training: 

Training courses 
for operators & 
staff. 

Promotion and 
marketing for 
students with 
pamphlets and 
videos. 


Convenience: 
Replaced all other 
cards students had 
to carry around 


Multiple 
Applications: 
Processing power 
Lower costs 


Multiple 

Applications: 

Who manages the 
card? 

[Newman & Sutter, 
2002], 


Resistance 

Usage: 

Fears over 
security of money 
Privacy of 
information 
Tracking of 
student’s use 
Length of queues 
Card was used for 
core services 
No choice 


Portability: 

Students are not 
limited to one 
location with the 
card. 


Convenience: 


Cost: 


Privacy: 


Ease-of-Use: 


Provides 


Deployment 


WIT guaranteed 


Very easy to use 


convenience 


Readers 


privacy of 


for the students. 






94 



Kevin O ’Sullivan, Karen Neville, and Ciara Heavin 



Ease-of-use 
Familiar method 
[Gemplus, 2003] 
Wallet size 


Replacing former 

equipment 

Training 


information on 
card. 




Cost Savings: 




Initial Problems: 


Productivity: 


No telephonic 




No major 


Makes job of 


[Newcombe, 




problems, some 


college staff 


1999] 




minor problems 


easier, for 


Timesavings 




such as card not 


example, time and 


[Miller, 2002], 
Eliminates paper 




reading 


attendance. 



handling costs 
[Choi et a]., 1998] 
Cash handling 
[Kalakota & 
Whinston, 1996] 
More reliable and 
longer lasting 
[Chanson, 1998; 
Petri, 2002] 

Easily updated 
without reissuing 
[Gemplus, 2003] 



Micro-charging: 
Ideal for small 
purchases 
[Karppinen, 
2000 ]. 



Table 1: Case Findings 




Transaction 
Times Reduced: 

Special queues for 
students using 
smart cards, is 
faster as no 
change involved. 



4. DISCUSSION 

Presently, WIT is using a ‘Schlumberger Payflex’ manufactured two 
kilobyte contact chip on their Smart-cards. The college was using magnetic 
stripe cards prior to the introduction of the WITcard as well as barcodes and 
felt that it was important not to implement change too quickly. For this 
reason, to date, all three methods have been retained on the card, which are 
used at different outlets. WIT’s plan over the next two years is to transfer all 
of the applications onto the chip because “ . ..the chip is a much more secure 
system than the magnetic stripe ”. The college has never had a breach in the 
security with the card to date, which is very important as “. . .you can never 
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guarantee security”. WIT also plan to introduce a contactless technology 
using the ‘Phillips MiFare Contactless’ technology system, for access 
control and time and attendance. Contactless technology plays a significant 
part in Smart-card systems particularly in areas such as access control and 
transportation, resulting in benefits such as speed of transactions which is 
ideally suited to busy processes in WIT such as for example, taking the 
attendance of students. The weakness of contactless technology is that banks 
have yet to adopt it as a secure standard and it is really only suitable for low- 
level security applications like access control and transit where a large 
amount of money is not required. The college decided on a Linux based 
system with Oracle for the operating system because Microsoft was “...a 
costly product due to licensing arrangements....”. The college also found 
Linux to be a very robust system, which worked very well. Originally, WIT 
would have bought an operating system from a vendor but there was nothing 
available in Ireland, the products available in the UK were very poor and the 
US systems were changed frequently so the college decided to just build 
their own. In addition, the college would also have had to learn the 
proprietary system, thus delaying the delivery of the system and making it 
harder to develop applications. 

WIT is able to store their e-purse on the WITCard chip but the cards are in a 
closed environment. Currently, the purse is stored online in a back-office 
database. The college researchers identified a number of problems when 
students' downloaded money onto the chip as when the end users lost their 
card, they would automatically lose their money. Due to the back office 
account (saving the different transactions), the college can replace the card 
and replace the money instantly. It is possible for WIT to download money 
onto the chip. This functionality will be implemented in the future when 
management decides to extend the usability of the Smart-card to off campus, 
as a form of payment for public transport for example. This would involve 
the students downloading a small amount from their main back-office 
account onto the chip for use outside the campus. 



5, CONCLUSION 

Clearly, there are a number of lessons that may be learned from the WIT 
Smart-card implementation. Firstly, it is evident that in this current 
environment security issues are to the forefront of user’s concern when 
utilizing Smart-card technology. Every application on the campus is 
currently online so there is no need to store money on the chip which 
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ultimately provides greater security to the end-users, as the main money is in 
the back-office account. The WITCard is secure which is important because 
if a student does not feel the card is secure they will not use it. Although, the 
audit trail generated by such a card remains a limitation of the technology. 
Secondly, ease of use has become another key factor when considering the 
introduction of new technology to any environment. User’s expectations 
have heightened over the last number of years as organizations strive to 
manage customer needs through the provision of products, services, 
information and most importantly ongoing support. Smart-card technology is 
no different, customers have come to expect the quickest and easiest means 
of doing business and for Smart-cards this means synthesizing a range of 
functionality into one single, portable, multipurpose card. Finally, it is 
evident from the WIT case that in order for user’s to accept and effectively 
utilize the new technology, they must be provided with some kind of 
incentive to encourage them to do so. In this instance, students were offered 
a 10 percent discount on campus for using their cards. Considering the 
average demographic and income status of the student body, offering 
discounts was the key strategic move in promoting the widespread use of the 
WITCard. While the WIT Smart-card implementation experienced some 
problems, it seems that WIT is focused on a ‘smart future’ with plans for the 
card to store applications, “...but you have to crawl before you walk and 
there is no point in going too far too quick”. 
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Abstract: The Information Security Faculty of MEPhI has felt the necessity of designing 

educational environment for teaching information and network technologies 
and their security. MEPhI has already designed and implemented the Network 
Security Scientific and Research Laboratory, It consists of several logical 
segments: the Internet emulation segment, teams segments for mutual attacks 
and defense, control segment (a workplace of the administrator/instructor and 
entrance to the Internet), Distance Learning System and transport medium 
connecting all the segments. We defined traditional and distance educational 
courses utilizing the Laboratory, study objects and methods, preliminaries and 
resulting knowledge and skills, configuration of student/administrator working 
places, topology, methodical maintenance, scientific and research works, and 
technical support. Laboratory users carry out the following works: 
vulnerability and security testing and computer-aided testing facilities; 
familiarization with instruments used for ensuring system security; design of 
secure systems and subsystems. Several electronic tutorials for the different 
parts of the information security educational courses have been created. 

Key words: security education, information security, network security, laboratory support, 

distance learning 



1. INTRODUCTION 

The Information Security Faculty of the Moscow Engineering Physics 
Institute (State University ) (MEPhI) has felt the necessity of designing new 
educational environment for teaching information and network technologies. 
Higher education is undergoing structural changes in terms of not only 
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student populations, but of learning paradigms and curricula. The student 
becomes an active participant in the classes. We need a testing area for 
student practices today more than ever, especially for the educational 
courses on computer and network security. This testing area should be “a 
real world in miniature” ready to different experiments on the network 
attacks and protection techniques that we cannot permit to our students in the 
real world of the University intranet or the global Internet. This is not 
surprising as it has pretty high theoretical foundation and at the same time 
has lacked any practical training. Of course, students were taught lectures, 
were recommended extra literature. Even various ways of implementing the 
obtained knowledge in everyday experience were described to them. Never 
the less we have to admit that all those activities are not sufficient nowadays. 
Applying for a job the person who has worked with the real equipment, who 
has designed and implemented even a small project, who is more or less 
familiar with the software in use, will undoubtedly have advantages over 
others. So, in fact, till now the students could oblige the knowledge and 
experience that they have got only to themselves, mainly because those 
knowledge and experience had been obtained with their own hands at the 
expense of aside activities during their free time. 

MEPhI together with the Moscow’s Microsoft representatives and some 
Russian commercial companies (such as STC Electron-service and CROC) 
has already opened the “Network Security” Scientific and Research 
Laboratory last year. Its main goal is to implement the “education-science- 
business” approach in practice. This, in turn, means: 

1. new level of scientific and research activities of the MEPhI faculty; 

2. increase of efficiency of specialist training in the group of “Information 

security” specialties and refreshing stuff training in the field of “security 

of information technologies”; 

3. adjustment of new educational technologies. 

Having such a Laboratory, it is possible not only to continue the training 
of specialists in specialties “Complex protection of informatization objects”, 
“Complex information security of computer-based systems” and “Computer 
security”, but also increase its qualitative level. And having monthly 
personnel retraining courses for the Bank of Russia, Sberbank, 
Vnesheconombank, etc. on the basis of the faculty, it is possible to 
significantly increase the results of that training with the help of, for 
example, expansion of practical training or carrying out extra laboratory 
works. 

Owing to such a considerable support we can use new educational 
technologies, for example, distance learning, distance progress testing 
(certification) and informational support of educational process. 

Thus, there is evident increase of efficiency of specialist training and 
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success in adjustment of new educational technologies. Students and even 
instructors themselves get real assistance in improvement of their theoretical 
and practical professional skill. 



2. LABORATORY DESIGN 

When only limited resources are available accurate planning and 
projection are a must for the most effective way of utilization those 
resources and high-quality implementation of the project. We defined the 
following stages of creation of the “Network Security” Scientific and 
Research Laboratory (further complex): preproject and projection stages, 
search for partners, project adjustment, assembling and start-and-adjustment 
work, presentation; operation testing and operation. 

At the preproject stage the aforenamed Laboratory design premises were 
explored and the necessity of its creation was motivated. The project stage 
followed. It, in turn, included several stages at which the undermentioned 
points were defined: 

- goals and tasks for the complex creation; 

- educational courses utilizing the complex; 

- objects and methods of Laboratory studies; 

- preliminaries and resulting knowledge and skills; 

- models of intmders, attack scenarios => necessary hardware 
configurations; 

- configuration of working place of administrator and instmctor; 

- structure of complex; 

- firmware requirements and specifications; 

- teaching and methodical maintenance for laboratory, scientific and 
research works (textbooks, tutorials, policies, etc.); 

- support of complex operation. 

That is the projection stage related to compiling the logical project of the 
Laboratory and defining firmware requirements. At the same time after 
thorough analysis of the courses which will use the Laboratory the following 
main tasks for computer and network security education purposes were 
designated: 

- research of the hardware, operating systems, data warehouses, software, 
and firmware and technical means of network protection; 

- design of operational models of protected networks on the basis of new 
informational and network technologies on different platforms; 

- adjustment of main methods and scenarios of distance learning and 
progress testing; 

- creation of informational database of security technologies; 
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- education of users and students; 

- detection of local and remote network attacks; 

- analysis of mechanisms and means of attacks; 

- discovery of channels of unauthorized information leaks from the system; 

- definition of security policies and measures; 

- elimination of the consequences of unauthorized intrusion into computer 
systems; 

- evaluation of system’s protec tability; 

- installation, configuration and administration of security equipment; 

- development of new methods and systems for information protection; 

- creation of “sandboxes” for temporary software and new technologies 
testing. 

We know that “sandbox” laboratories for security education are not a 
new idea, however they are an excellent teaching and learning tool [for 
example 2, 3]. That is why we decided to implement it at the University. 

To successfully carry out all those tasks the Laboratory should meet 
definite requirements. For example, when modeling secure networks it is 
essential to have sufficient flexibility of configuration and scalability, 
whereas when evaluating system’ s protectability and designing new methods 
of information protection - adaptability to new operational environment. 
Full list of project requirements was the following: maximum flexibility, 
simulation of various attacks, heterogeneity, low cost and availability. 

The resulting logical structure of the complex satisfying all given 
requirements and able to carry out all listed tasks is depicted on the figure 1 . 



Internet 



SANDBOX 



Team 1 



Internet emulation | 

i 



Team 2 



Control segment 



Fig.l: logical structure of the Laboratory. 
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Thus the Laboratory consists of several logical segments or areas 
performing different functions. This increases flexibility of the complex as a 
whole and allows its easy modification and/or expansion to fit new needs. 
The complex includes: 

1. Internet emulation segment - a model of public data network. 

2. “Team 1” and “Team 2” segments - for mutual attacks and defense. 

3. Control segment - workplace of the administrator/instructor and glue to 
the Internet. 

4. Transport medium, connecting all segments. 

All segments include appropriate security equipment, the ultimate make- 
up being defined by the current solved problems. 

Internet emulation segment plays the role of public data network and is 
the transit area, passing all the traffic of participating parties. That is why it 
is a proper location for various informational warehouses, “public” servers 
(DNS, proxy, Web, etc.) and a management system. The management 
system controls operations of the segment and executes the established 
security policy. 

Team segments simulate different corporate subnets with typical for 
today set of work stations and network services. These segments play the 
roles of attacked networks, attacking networks or perform other functions 
(for example, serve as mini-sandboxes for temporary software testing). 
Accordingly team segments should contain the following widely used 
modem firmware: 

- workstation software (OS on the most popular and probable platforms - 
Microsoft, Unix, Novell; as well as Web-browsers and other software 
necessary for the problem solution); 

- communication facilities (may be absent if segment is being used as an 
“isolated” area); 

- databases (Oracle, Informix, MS SQL, MySQL, etc. - the ultimate choice 
is defined by the problem being solved); 

- e-mail facilities (servers and client software); 

- different servers (application, Web-, file- and other, not yet defined); 

- security subsystems and firmware security facilities; 

- programming tools (for analysis of the existing and creation of own 
security facilities, for analysis of vulnerabilities and various 
technologies); 

- adaptive network security and management tools, including systems for 
evaluation of protectability, for monitoring user activity, systems for 
traffic analysis and intrusion detection. 

Control segment is the working place of the admi ni strator (an instructor 
will play his role during the laboratory works) and controls access of 
participating subjects to external (relative to the complex) services (for 
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example, the Internet). That is why this area should include adaptive 
network security and management tools, security subsystems and firmware 
security facilities, e-mail facilities and other servers. 

All segments are linked into a single complex with the transport medium, 
which should be built with the most popular technologies used nowadays in 
private networks (intranet). In our case the transport medium is Ethernet 
because it is the most flexible, cheap, and scalable technology able to satisfy 
nearly all speed and QoS requirements. 

Team segments (and the control segment) use various software varying 
from freeware, downloaded from the Internet for analysis, to licensed 
operating systems and security facilities (for example, network audit tools, 
software firewalls, antiviral software, etc.). Besides, organization of the 
unified database about all investigated vulnerabilities and methods of 
defense, about used firmware, as well as maintenance of centralized support 
server in the control segment are of special interest. 

Implementation stage followed the project stage. But the faculty was 
unable to afford the self-dependent creation of the Laboratory because of 
limited resources. That is why executives addressed exterior organizations. 
They needed to open business relations and to attract investments. This was 
the search for partners’ stage. The partners had to be interested in the 
creation of the Laboratory, maintaining it, at least because they could use it 
as a test-bed for their new ideas and shift their everyday routine research and 
testing activities to students’ and post-graduate’s shoulders. The partners 
were found (they are the Moscow’s Microsoft representatives, the STC 
Electron-Service and the CROC company), but they made some 
modifications to the initial Laboratory topology so that it would be more 
flexible and more effective for solving various problems. 

The final project of the complex compiled by the joint efforts is depicted 
on the figure 2. 

All that was made by the students themselves. During the summer 
months the work was finished and the complex was ready for presentation 
and operation testing. 

The Laboratory is divided in two main parts. One part of the Laboratory 
is designed for carrying out the following works within the complex’s 
framework: 

- examination of system vulnerabilities and analysis of unauthorized 

access to computers and networks; 

- security testing and computer-aided testing facilities; 

- extending students’ knowledge of security concepts and principles; 

- familiarization with instruments used for ensuring system security; 

- design of secure systems and subsystems. 

The second part of the Laboratory is intended for improvement of the 
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basic techniques and scripts of distance learning and testing. Some new 
educational technologies based on multimedia computer systems and tools 
are widely used in many educational programs of various educational 
institutions from primary schools to universities. Their efficiency has already 
been proved in teaching foreign languages, in physical processes and 
phenomena simulation, and also as help-systems with a large amount of 
stored information. The application areas of computer learning systems 
along with many other fields of knowledge can become objects of study not 
only in classes but also during independent student’s (or trainee’s) work. 




Fig.2: final Laboratory topology. 

The basis of this part of the Laboratory is earlier developed at MEPhl’s 
Distance Learning and Testing Systems (DLTS). It is a complex of software 
and methodical tools for distance learning and certification of the personnel 
based on the advanced Internet technologies and modem educational and 
testing techniques and accompanied by the specially trained personnel. 
Interactive DLTS Web site is constructed upon the Microsoft ASP 
technology. The Internet I nf ormation Server 5.0 provides the ASP support. 
VBScript language is used for the ASP scripts creation. The DLTS 
i nf ormation environment consists of the educational material in the HTML 
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format and the centralized database working under the Microsoft SQL 
Server 2000 control. The tools for new educational course development, the 
test creation tools and DLTS operation support tools are implemented as the 
Internet and Delphi applications. All DLTS’s resources should be protected. 
That is why it is located in the Laboratory. 

MEPhl’s DLTS has more that 1500 tests on the different topics of the 
information and network security. We define test as a combination of 
interdependent or independent tasks of equal or different complexity, 
assigned “from simple to complicated”, and allows adequately defining 
knowledge and other trainee characteristics important for the tutor (they are 
named in the brackets). The tests have the following aims: 

- self-testing of trainees during the educational process on the information 
security programs, 

- testing the level of preliminary training (so called pre-knowledge) before 
the laboratory works, 

- testing comprehension of the studied theoretical material as addition to 
another forms of traditional progress testing during a term, 

- testing student’s ability to apply the newly acquired knowledge and skills 
for making own decisions and implement them as completed products 
and work out concepts, strategies, techniques etc., 

- certifying trainees and testing their competence as the final progress 
testing. 

MEPhl’s DLTS implements the following task types of different 
complexity: selection from a set, multiple selection, conformity, logical 
chain, term, object selection, situational task, symbol sequences input. We 
added one interesting point to that list - dialogue emulation. It is not trivial 
to implement it because all the possible actions of a trainee and emulated 
system process reactions should be determined in advance. We need to 
foresee all possible event development in artificially created situations. But 
that approach has positive features - trainee’s practical experiments do not 
impact the real parameters of the network environment. 



3. LABORATORY ACTIVITIES 

Even now the Laboratory is used not only in “exterior” projects but also 
directly participates (or will participate in the nearest future) in student 
training in the following educational courses: 

- “Information security basics”, 

- “Theoretical foundations of information security”, 

- “Operating system security”, 

- “Network security”, 
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- “Database security”, 

- “Complex information security of computer-based systems”, 

- “Cryptographic tools of information protection”, 

- “Technical methods and tools of information security”, 

- “Firmware methods and tools of information security”, 

- “Legal aspects of information security”, 

- “Organization of information security” and 

- “Building secure computer-based systems”. 

Besides there are plans to introduce the following new courses: “Secure 
network technologies”, “Monitoring of network security”, “VPN 
management”, “Informational and mail systems”, “Information security 
administrators”, “Building data networks” and “Network management tools”. 

But the most important are, probably, the knowledge that trainees could 
learn in the Laboratory. For example, it allows to obtain knowledge in the 
undermentioned areas: 

- reveal unauthorized computer access; 

- reveal network attacks; 

- analyze the procedures and means for performing attacks; 

- discover threats to informational computer systems; 

- discover vulnerabilities and bugs in systems, services and network 
protocols through which adversary’s intrusion can be expected; 

- discover channels of unauthorized information leaks from the system; 

- perform the network security monitoring; 

- operate the access isolation systems providing a controlled access to 
informational and network resources; 

- design secure informational systems; 

- elaborate the system’s security policy; 

- define measures and procedures of accident prevention; 

- eliminate the consequences of unauthorized intrusion into a system; 

- evaluate the system protectability; 

- define the puipose, basic functions and place of information security 
standards in the system; usage peculiarities of the specific standard; 

- evaluate the functional capabilities of the existing security equipment and 
determine the applicability of firmware in network architectures; 

- configure the security facilities built into many systems; 

- ensure the secure operation of system applications; 

- administer security equipment; 

- develop methods of defense; 

- implement new systems and means of information protection; 

- know the basic legal documents and standards in information security; 

- prepare documentation for new security equipment for further state level 
certification. 
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This is not a comprehensive enumeration. But even it should not be 
understood literally because every student will choose his own specialization 
and questions that he will thoroughly study. It is just impossible to be a 
specialist in every field. Never the less all students will obtain the necessary 
minimum of knowledge in the aforementioned problems to continue 
independent studies and research. 

But to make the most of working in the Laboratory, without distracting 
attention to “secondary” questions when solving definite problems, there is a 
list of prerequisites: TCP/IP stack, network services, basic principles of 
network security and technologies of security, network operating systems 
(Unix, Windows 98/2000, NT, Netware...), database management systems, 
computer viruses (malware) and programming technologies and languages. 

The following works are going to be carried out within the complex’s 
framework: 

- examination of system vulnerabilities and analysis of unauthorized 

access to computers and networks; 

- security testing and computer-aided testing facilities; 

- extending students’ knowledge of security concepts and principles; 

- familiarization with instruments used for ensuring system security; 

- design of secure systems and subsystems. 

Titles of the possible works are very different. For example, the work 
with the title “Buffer overflow attacks” is designed for the “Programming 
technologies” course. For the “Computer hardware” course functioning of 
packet filters, channel encryption devices and other hardware should be 
studied in the Laboratory. Revealing of leakage paths is a good illustration 
for the “Communication networks and systems” course. Analysis of OS’s 
protectability and setup of configuration files corresponds to the “Operating 
systems” course. Specific DBMS threats and built-in protection capabilities 
are the main topics for the “Database management systems” course. Network 
attacks and methods of their detection best of all suits the “Computational 
networks” course. The “Management basics” course should imply designing 
of security policies and studying of the main administrator’s responsibilities 
etc. 

At that objects of Laboratory studies are network hardware & software, 
protocols & services, standards, legal and normative documents, standalone 
computers or groups of computers in the internal and external networks with 
specific hardware platform and installed software — primary (for example, 
OS) and applied (network), with the Internet access. As for protection 
hardware & software students should study means designed for intrusion 
detection, security monitoring and audit, protection means (such as firewalls, 
encryption tools), access control implementation, security policy 
development and, of course, document base, regulating actions in the field of 
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information security. This is achieved with the following methods of 
research: 

- emulating intruder’s activities; 

- discovery of system vulnerabilities by scanning and probing; 

- experiments with security facilities and means of unauthorized access 
detection to determine their functional capabilities and to elaborate 
recommendations for their installation and improvement; 

- control of network information flows through traffic analysis; 

- assessment of protection of computers, networks, services, protocols, 
hardware and software in accordance with fixed procedures and in 
compliance with Russian standards and guidelines; 

- testing of security policies and new procedures of protection in order to 
determine their comprehensiveness and validity; 

- analysis of documents, regulating information security. 

With reference to learning network security this means: 

- examination of standard attacks described in different publications; 

- intrusion detection and elimination of their consequences; 

- discovery of software and hardware vulnerabilities of standalone 
computers or network as a whole; 

- operation of access control systems with respect to informational and 
network resources; 

- elaboration of system security policy and definition of means of its 
achievement; 

- evaluation of functioning systems’ protectability and elaboration of 
recommendations for its enhancement; 

- design, installation, configuration, and administration of security 
facilities and patches for present software and hardware. 

On the basis of those typical basic tasks as well as on the basis of 
personal experience of complex design the following immediate problems 
were prepared for students. All of them are the titles of the practical 
assignments for one laboratory work. 

1. Emulation of network protocols. 

2. Emulation of secure network protocols. 

3. Emulation of specific attacks. 

4. Creation of interfaces emulating operation of security facilities. 

5. Research of dependence between network topology and attacks. 

6. Research of dependence between transport medium in use (Ethernet, 
FastEthemet, FDDI, ATM...) and attacks. 

7. Research of peculiarities of telephone channel attacks. 

8. Research of peculiarities of fiber-optic attacks. 

9. Research of peculiarities of attacks from the Internet. 

10. Research of attacks on network hardware. 
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11. Research of vulnerabilities and protection of Web-servers and 
applications. 

12. Research of vulnerabilities of network services and commands. 

13. Research of attacks on electronic document interchange. 

14. Crypto protection. Digital signature. Public key infrastructure. 

15. Research of attacks on firewalls. 

16. Research of attacks on proxies and their detection. 

17. Research of vulnerabilities of client/server architecture. 

18. Research of vulnerabilities of databases and database management 
systems. 

19. Research of basic means of network protection - protection against an 
unauthorized access. 

20. Research of basic means of network protection - firewalls. 

21. Research of basic means of network protection - adaptive network 
security. 

22. Research of basic means of network protection - anti-viruses. 

23. Research of basic means of network protection - virtual private 
networks. 

24. Research of basic means of network protection - security policy 
development and management. 

25. Research of means for file and session encryption. 

26. Research of network-based intrusion detection systems. 

27. Research of host-based intrusion detection systems. 

28. Research of attacks on intrusion detection systems. 

29. Research of system security scanners. 

30. Research of network security scanners. 

31. Research of security services: intrusion tests. 

32. Research of application-level attacks and application protection. 

33. Research of trusted operating systems. 

34. Vulnerabilities and protection of workstations. 

35. Design of own means and methods of defense. 



4. ELECTRONIC TUTORIALS FOR 

INFORMATION SECURITY EDUCATION 

Let’s allocate main objectives of creating the electronic tutorials for 
information security educational process. They are the following: 

- to help teachers to present their professional knowledge in a new, most 
effective — electronic — way that would give them necessary modem 
level and high quality of stated material; 
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- to apply teaching based on automated and involving extensive 
information resources of the Internet approaches to educational schedule 
exposition to students; 

- to place students in such an environment, where they can creatively use 
this technology as a part of their daily exercises within the framework of 
self-education; students can actively construct their own knowledge 
setting their individual style of training and mastering of new information 
in this environment; 

- to give state-of-the-art information on the theme at the expense of usage 
of hypertext references to Web-sites with the newest documents, demos 
of the latest software information protection tools for networks, and 
descriptions of functionality of hardware protection tools. 

In 2003 several electronic tutorials used to study network security at the 
laboratory have been developed and tested on the under- and post-graduate 
students. Their themes are the following: “Secure network protocols”, 
“Remote network attacks”, “Firewalls”, “Intrusion detection systems” and 
“Scanners”. “Virtual private networks” tutorial is under construction now. 

On an example of the first named tutorial we would like to show main 
features of the others. The product named ZSPs (from the Russian 
abbreviator of Secure Network Protocols) is used both to learn theory of the 
protocols and to get initial practice in their configuring (during laboratory 
works). To achieve the goal the emulation of the basic dialogs is performed. 
The main purpose of it is to make the education persistent and to exclude the 
gap between the theory and the practice. ZSPs gives the possibility to put 
through persistent educational process - students get the knowledge and use 
it in practical tasks immediately - and thereby increase the quality of 
education. 

The ET is meant for those familiar with network technologies 
foundations, system and security managers. ZSPs is intended to be used by 
the students of the Information Security and Network Security specialties. 

ZSPs is directed to study secure network protocols, tightly integrated in 
different network environments. It realizes some elements of client-server 
configuring of the basic network protocols such as creating PPTP and L2TP 
tunnels and IP Security connections. Windows 2000 Advanced Server has 
been chosen as the basic system, because it’s one of the most widely used 
Microsoft OS for creating powerful and convenient network environments. 
The product aids in solving the following tasks in the common concept of 
learning: giving the basic knowledge in the protocols functioning, methods 
of their application and so giving skills in configuring network connections 
to use security services of them. 

The configuring of protocols inside ZSPs does not impact the real 
parameters of the OS. The following reasons have chosen such kind of 
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realization: 

As the inexperienced students use the application, there is the possibility 
of incorrect configuring the protocols, and thereby breaking the functioning 
of the whole complex. 

As the product does not change the OS parameters, it can be used in any 
Windows system, and not only Windows 2000 Advanced Server. 

ZSPs, emulating work of the basic network protocols, has the following 
characteristic features: 

- Granting of an opportunity to receive both knowledge and practical 
s ki lls. 

- Independence from concrete OS and opportunity to be used in any 
Windows environment. 

- Exclusion of the probability to infringe the OS under which the 
application is used. 

- User-friendly interface. 

- Realization of theory as HTML documents that allows the teacher to 
modify and supplement the material easily without a threat to the 
application. 

- Help system, including instructions for tutors and trainees. 

- Implementing the system of user registration, logging and reporting. 

- Realization of a test system to examine trainees. 

Subjects of teaching, as well as everything concerned with the modern 
networks, the Internet and intranets, are very dynamical: literally each day 
malefactors develop new methods of system breaking and crashing; in return 
the market of protection tools responds with releasing appropriate products 
for intrusion detection and defense. For the reason the dynamic principle 
should be incorporated into the basis of the approach to creating electronic 
tutorials on the given area of knowledge. 



5. CONCLUSION 

Thus, the “Network Security” Scientific and Research Laboratory allows 
not only to significantly improve student training in existing group of 
information security specialties, but also to bring the educational and 
research activities of the faculty up to a new standard. This results in both 
increased efficiency of training and retraining courses in old and new 
educational programs and participation in federal special programs. Besides, 
availability of the complex allows online exchanges of experience with 
foreign partners and to carry out joint investigation and research. Moreover, 
having mutual agreement it is possible to participate even in joint laboratory 
works when, for example, Russian and foreign students from Australia [2] or 
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Italy [3] compete with each other for better knowledge of network protocols, 
technologies, and network security tools. Several electronic tutorials for the 
different parts of the information security educational courses have been 
created. 
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1. INTRODUCTION 

Many problems within information security are multidisciplinary in 
nature - there are needs for knowledge from natural sciences as well as law, 
social sciences and humanities. This becomes problematic in research (as 
well as in practice) since each science has its own defined knowledge field 
and well established research methodologies. Basically two world views 
clash - the formal/hard and the informal/soft. To bridge the gap inter-, multi- 
and cross disciplinary methods are often used successfully but they demand 
each participant to have detailed knowledge in each involved discipline. 
Holism takes the meta-approach where an actual problem is investigated 
from some generalized system-concept; this may emanate from any area of 
science but is initially scrutinized as one whole. The result of the systemic 
analysis will further direct the course of research and actions. This way 
knowledge from soft and hard sciences is bridged. This paper discusses how 
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to use an holistic approach to a PhD program in information security and 
information assurance. 

The paper is organized as follows: The international doctoral program 
with a bias towards a holistic approach is discussed. The WISE1-3 
conferences are revisited to conclude about holistic and interdisciplinary 
demands within the area, and to underline the international developments 
within academic teaching 1995-2003. Finally there is a section on the 
Systemic-Holistic Approach, developed and used by the author. 



2. DISCUSSING THE INTERNATIONAL 
DOCTORAL PROGRAM 

Following the Systemic-Holistic Approach, SHA, (see section 4), the 
content of any holistic oriented research needs a description of the field of 
study. Thus the core curriculum of such a PhD program needs to be specified 
in terms of what courseware in IT security is needed in addition to 
courseware in science, including scientific and research methodology. I will 
use the SHA approach for sketching and discussing the international doctoral 
program with specialization in information security and information 
assurance; doctorate by research and a professional doctorate; different 
sectors including academic, military and armed forces, law enforcement, 
government and private industry. The approach includes in short: delimit the 
system of study from the environment, define the existing environment, 
define the system through its inflow, through-flow and outflow, and 
structure the in-built control system to deal with inner and outer variety 

2.1 The system of study 

The system itself is the education with its processes, the students 
including their learning processes, the main advisors including their 
preferences and knowledge, the department (subject) and university, 
eventually also the nation, where the PhD candidate is enrolled. I will 
assume that a professional doctorate candidate will have some home- 
department apart from his/her company (equivalent). 

2.2 The environment 

The most important environment will include all the other international 
departments and universities which are part of this “international federation 
of doctoral consortium”. Each one is viewed as a system of its own. Defining 
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it this way, each department and university can use their own internal as well 
as external rules. 1 The environment also encompasses the 
companies/organizations and many of the problems which will be involved 
in the research. Particularly in research, there will also be international 
organizations of various kinds which are either interested in the research, 
conduct or fund research themselves, are involved in actions which interacts 
with /parts of/ research, etc. 

2.3 The system; its inflow, through-flow and outflow 

I will assume that a doctorate will take 3 years of full-time research, and 
that the candidate will have a bachelor and a master degree (app. 3+2years) 
prior to entering the PhD education. In an ideal case the candidate will 
already have studied security in relation to IT on the undergraduate or 
graduate level. The minimum knowledge in information security (equiv) 
ought to be somewhere similar to programs described in Proceedings of the 
WISE conferences (see section 3 of this paper) of an extent to about 1,5 
years of full time studies. In addition I would wish the candidate to have 
studied general science, scientific methodology, research methodology and 
scientific communications (oral, procedural, and writing including an 
/under/graduate thesis or project) to the equivalence of approximately 1 year. 
The candidate entering the PhD program should be a mature person with an 
urge to leam - and in the ideal case - also have a problem area of interest. 
Scrutinizing this problem area together with an advisor should result in a 
provisional and individual research plan. This plan may include courses or 
specification for courses, and projects. All specifications should be guided 
by the goal of the PhD, which initially will be rather hazy, but gradually 
materialize into a clearly defined specification. This implies that I do not 
favour course-work per se within the PhD education except when the 
knowledge is identified as a need. This also implies the existence of a 
present, knowledgeable and interested advisor. Initially the advisor will 
“point will full hand” towards the goal and its content, but gradually the PhD 
candidate should take over full responsibilities for his/her research. I really 
see no principal differences between a professional doctorate and a doctorate 
by research, except for maybe the scope. Still, both doctorates will need to 



1 Experiences within similar curricula development (Erasmus/Socrates) show that each 
country has its own regulations and it takes long time to harmonize university educations. 
Even if Europe is in a process of harmonizing its system of higher education (the Bologna 
process it will still take time to implement it. An international program probably takes 
even longer. 
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show how to use sound scientific methods even though the balances between 
practical and theoretical work may be different. 2 

This implies that the best way of cooperating internationally is to be able 
to offer the courses we do give to the international forum, thus for the 
international doctorate program I suggest IFIP 11.8 members to put up a 
course catalogue on the web site for this purpose as a start. 

When it comes to the “holistic” doctorate, I view the approach as a 
scientific research methodology that may be used for inter-, multi- or 
crossdisciplinary problems. This usually implies incorporating knowledge 
from related fields such as management, economics, law and culture, but 
may also be used to incorporate aspects of software engineering and 
information systems. I believe a course on holistic approaches, as indicated 
in section 4 could be part of the scientific methodology. 

2.4 Structure the in-built control system to deal with 
inner and outer variety 

Since I suggest each department and university partaking in the 
international activities of a PhD program in information security as a system 
of its own, each department will be left with their own rules. International 
agreements, such as the Bologna process for European higher education may 
change this gradually. 



3. WISES REVISITED 

International Federation for Information Processing, IFIP, has through its 
working group 11.8 conducted workshops and conferences since 1995 
within the wide area of education in information security and information 
assurance. For the purpose of this paper, the author went through all the 
proceedings to bring the WG up-to-date with our findings. The analysis 
shows that the area has matured; the academic international education is 
converging towards consensus of core knowledge, and there are many 
detailed examples given of courses, contents, extent and laboratory work. 
Driving forces seem to have been the ERASMUS/SOCTARES program in 
Europe and the National Colloquium for Information Systems Security 
Education in the US - many universities have contributed their knowledge to 

2 This actually implies that I believe a MSc or a MBA towards security should be the 
preferred professional degrees for people working practically with security outside the 
academies. A professional PhD could still imply research, but maybe then more directed 
towards problems of a specific organization. 
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the success. In 2001 bodies outside the traditional universities, such as police 
and armed forces joined with their plans and experiences. In 2003 we note 
reports strongly arguing for holistic, inter- and multidisciplinary approaches 
to information security particularly for business-oriented education. Didactic 
questions are starting to appear, in particular distance-education and forms 
for assessment of programs. Along come also reports from developing 
countries, changes in profiles of infosec professionals, training approaches 
for SMEs, teaching PETs, etc. Apart from one paper on forensics and one 
on LPR, problematisations from legal points of view on information security 
education on any level is lacking, as is value-oriented questions and 
extensive comments on educational programs targeting trade&industry. Each 
of the conferences is characterized through listing of given titles and themes. 

3.1 Pre-WISE work 

LFIP’s working group within the Technical Committee on Security and 
Protection in Information Processing systems (TC11) number 11.8 
Information Security Education, was established in 1991. In 1995 a series of 
workshops intending to build a critical mass of active international members 
named Information Security Education - Current and Future Needs, 
Problems and Prospects were initiated to mn in parallel with the annual 
SEC95-98 conferences. Major themes in Cape town, South Africa 1995 were 
European academic IT security education, Information security education in 
the business ad mi nistration environment and Demands for ethical curricula 
in the information age. The following year, 1996, on Samos, Greece themes 
were Awareness models, Teaching and learning models and Needs for 
standard curricula for different groups and levels, in addition to papers on 
Privacy, Laboratories and Holistics. In Copenhagen, Denmark 1997 themes 
were extended towards reporting on practical approaches and experiments 
with a much wider international appearance also including teachers, pupils, 
data protection officials - and post graduate level. Finally, the forth 
workshop on a boat on the Danube between Vienna, Austria and Budapest, 
Hungary in 1998 presented detailed educational programs, mainly academic, 
from the international scene. 

By 1999 the time was ripe to start dedicated international conferences on 
themes around the teaching and learning of information security. They were 
named WISE particularly to underline that the teaching and learning about 
security in IT systems calls for reflections and analyses of what these 
systems - once made secure in some sense - will be able to accomplish in 
the real world. “Will they provide for trust in information systems, will they 
lead to a more secure world, for whom, will they perhaps change existing 
balances and power structures, will they tend to control individuals, etc.? 
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The creation of awareness and understanding of the demands for security in 
IT systems has proven necessary; lacking acceptance with the users will 
result in inadequately functioning IT security. Also lacking awareness and 
understanding with the computer scientists and technicians of the demands 
for security in IT systems from business and user perspectives cause 
deficient IT security. This is what WISE is about - to present, analyse and 
discuss what, how, and whom to teach about information systems' and 
information technologies’ security.” (Yngstrom, 1999, p v). The acronym 
stands for World conference on Information Security Education, suggested 
by our late 11.8 member Peter Fillery after the 1996 workshop. Hopefully 
the WISEs will be vehicles not only for how-to-do-reports - even if they are 
extremely helpful for the international audience - but also for exhibiting and 
discussing specific research problems incorporated within the teaching of 
and learning about IT security and information assurance. 

3.2 WISE1 

Looking back at WISE1 in 1999, themes were introvert and reported in 
depth on what today would have been called traditional academic IT security 
education. There were only a few non-academic target groups added and the 
focus on teaching IT security to trade and industry was almost negligent. 
Very few research problems were discussed. Titles talk for themselves: 
Academic Curricula and Curricula Developments in Europe - The 
ERASMUS/ SOCRATES Approach, Incorporating Security Issues 
Throughout the Computer Science Curriculum, The Reference Monitor 
Concept as a Unifying Principle in Computer Security Education, Personnel 
Training for Information Security Maintenance in Russia, IT Related Ethics 
Education in Southern Africa, Data Protection in Healthcare and Welfare, A 
MixDemonstrator for teaching Security in the Virtual University, On the 
Experiment of Creating the Electronic Tutorial “Vulnerability and Protection 
Methods in the Global Internet Networking” in Moscow State Engineering 
Physics for Education of IT Security Professionals, Information Security 
Best Practice Dissemination: The ISA-EUNET Approach, Amplifying 
Security Education in the Laboratory, IT Security Research and Education in 
Synergy, Developing an Undergraduate Lab for Information Warfare and 
Computer Security, Internet Groupware Use in A Policy-Oriented Computer 
Security Course, Teaching Computer Security - the Art of Practical 
Application, Some Aspects of Cryptology Teaching, Explaining 
cryptosystems for the general public, Approaching the concept of IT security 
for young users, Introducing IT security Awareness in Schools; The Greek 
Case, Making information security awareness and training more effective, 
The Value and Assessment of Information Security Education and Training, 
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The Manual is the Message - an Experiment with Paper based and Web 
based IT security manuals. (Yngstrom&Fischer-Hubner, 1999). 

3.3 WISE2 

In WISE2 the scope had widened, nationally as well as internationally. 
There were reports on international curricula, important educational 
problems and impacts also outside established academic institutions such as 
the police and armed forces, the cyber environment, small enterprises, 
distance education and societal issues. The inter- or multidisciplinary issue 
was raised by many authors. 

Titles were: Global Impacts, Future Challenges and Current Issues in 
Training within the Police Computer Crime Unit, Information Warfare and 
Cyber Warefare: More Than Just Software Tools, Information Security; 
International Curriculum Projects, The Russian Experience - Information 
Security Education, Updates on the SOCRATES/ERASMUS Program, 
Teaching Cyberwarefare Tactics and Strategy, e-Education Frameworks: 
Applying Generalized Development Strategies to IT Security Courses, An 
Information Security Education Program in Finland, Information Security 
Education, Teaching Security Engineering Principles, Core Curriculum in 
Security Science, Problems in Designing Secure Distance Learning Systems, 
The Virtual Campus, Action learning in practice, Progress Testing in 
Distance Learning, A Security Training Approach for UK Small and 
Medium Sized Enterprises, IFIP World Computer Congress/SEC 2000 
Revisited, Teaching Privacy-Enhancing Technologies, Game-Based learning 
within IT security Education, Human Aspects of Information Security, 
Awareness and views on Intellectual Property Rights concerning the 
Internet, Analysis of Teaching GNY-Based Security protocol, Information 
Security Aspects in the Expert Training Program on Physical Protection of 
the Objects, Reaching for the Stars - a practical case study in securing 
computer facilities. (Armstrong&Yngstrom, 2001). 

3.4 WISE3 

At the time of WISE3 the area had matured profoundly. There are many 
detailed curricula reports, including laboratory experiments with different 
flavours, extensions, levels, depths, wid t hs and target audiences; excellent 
aids for new-comers. The developed west-oriented world dominates, but also 
smaller and less developed countries report progress. There are more quests 
and suggestions for interdisciplinarity, in particular marrying IT security 
education with education in business administration and intelligence. 
Computer forensics and information assurance are emergent concepts for 
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education and existing definitions and focuses are problematized. Evaluation 
appears as a separate subject and the concept of education is widened to 
include re-training and the activating of alumnae and other external groups. 
A natural extension of the curricula towards the postgraduate level is present 
and there are suggested research areas and themes. Titles are: Cyber Security 
as an Emergent Infrastructure, Teaching Network Security Through Live 
Exercises, Information Warefare in the Trenches, Changes in the Profile of 
Security Managers, A Tutoring System for IT Security, Design of a 
Laboratory for Information Security Education, Integrating Information 
security and Intelligence Courses, Internet Security Management, 
Information Security Fundamentals, Australia's Agenda for e-Security 
Education and Research, Is Security a Great Principle of Computing, IT 
Security Readiness in Developing Countries, A Program for Education in 
Certification and Accreditation, Mastering Computer Forensics, Assembling 
Competitive Intelligence Using Classroom Scenarios, Teaching 
Undergraduate Information Assurance, Out-come based Assessment as an 
Assurance Education Tool, Evaluation Theory and Practice as Applied to 
Security Education, Ten Years of Information Security Masters 
Programmes, Network Security Scientific and Research Laboratory, A 
Comprehensive Undergraduate Information Assurance Program, Training 
the Cyber Warrior, Security Education for Times of Netwar and Peace, 
Improving Security Awareness Through Computer-based Training, 
Identification and Integration of Information Security Topics, A Dedicated 
Undergraduate Track in Computer Security Education ( I rvine& Armstrong 
2003). 



4. AN HOLISTIC APPROACH TO INFORMATION 
SECURITY AND INFORMATION ASSURANCE 

When I first started to study - and later - to teach about information 
security from a holistic - later called systemic-holistic - base, I did not 
understand fully that it was a difficult (and to some extent even until today 
unsolved) scientific problem. My department was one of the first ones to 
consider computer science and information systems together - to our notion 
computers process data which in some sort of intelligent process (often 
involving humans) may be transformed to information. And viewing the IT 
security problems (initially of privacy) from the point of view of a 
generalized system, made it easy to state/understand the security problems as 
problems of integrity. To my understanding no system, not even ‘privacy’ 
could be totally without an environment with which is has relations; thus it 
boils down to some sort of control problem. Cybernetic systems are 
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controlled through feed-back; and in theory they apply ‘control from within’ 
(Wiener 1948, Beer 1964, 1968). They appear in various forms. Thus 
security to me could be viewed from the point of view of building /a/ control 
system/s/. 

The third central part of the holistic approach was General Systems 
Theory, GST. The purpose of GST(von Bertalanffy 1956,1968) was to 
further the development of theoretical systems applicable to more than one 
of the traditional disciplines into a meta-theory. This way analogies and 
isomorphies can be used from one known area to another. GST rests on five 
postulates and ten hallmarks, which in essence view the world from formally 
provable realities where general laws and structures may be transferred from 
one level to another, from one area to another provided there are strong 
similarities. Thus assessed research methods could be applied in new fields. 

In the theoretical building of the systemic-holistic approach also the 
Theory of General Living Systems (Miller 1978) took part. Miller delimits 
his theory to deal with concrete, open, homeostasis aiming complex systems, 
composed by 19 critical subsystems. Miller himself notes (1978, p 42): “My 
analyses of living systems uses concepts of thermodynamics, information 
theory, cybernetics, and systems engineering, as well as the classical 
concepts appropriate to each level. The purpose is to produce a description 
of living structure and process in terms of input and output, flows through 
systems, steady state, and feedback, which will clarify and unify the facts of 
life”. 

With the aid of system theories and cybernetics the systemic-holistic 
approach was structured to facilitate understanding IT security problems as 
how to construct robust and survivable structures. Now, this was not the way 
most IT security people viewed their task: I spent time researching how and 
why people saw the world they did as compared to mine - and what the 
results were of the different world views. At the time (Yngstrom 1996) I 
outlined and discussed some areas as an illustration to why it was/is 
problematic to understand security in relation to IT: 

• A language problem - English is the language used in most scientific 
communications, whereas many other languages understand ‘security’ 
much wider. 

• Is cryptography the same as security? Cryptographic functionalities are 
based on secrecy but used in quite different ways. 

• Whose point of view is security for? Most often the view is to protect 
assets of the firm and not of the individual. 

• How is the environment considered? The environment if often implicit - 
to the developers. It is not necessary the same as understood by the users. 

• Information or data security? The two concepts are often used 
interchangeably giving an unsolid ground for decisions. 




126 



Louise Yngstrom. 



• CIA as the main definition/description. As technology and use of IT 
extends, definitions are not good enough; even these three include 
contradictions. 

• Problems of specifying IT security criteria. We live with that all the time, 
and I still favour Abrams' (1994) comments that there is not one good 
model to cover all aspects, despite CC. 

• Measurements of security. Today security metrics seem to be a large field 
for research. 

Presented issues contain gleanings from often discussed matters. 
Certainly they could have been headlined or related differently - this is the 
whole point with an SHA approach. Many perceive the issues as a mesh of 
opinions or ideas built on specific knowledge, and somehow - which is not 
obvious - connected to each other. This is where a generalised concept of a 
system may be used as a basic model for understanding and structuring 
matters; expressed by the following steps: 

1. Understanding and conceptualisations, 

2. Demarcations: delimit the system of study from its environment 
including defining the relevant environment, 

3. Definitions: specify inflows, throughflows and outflows, and 

4. Measurements of control: structure controls to deal with relevant 
varieties. 

Following this, the problematic issues mainly dealt with: 

1. Understanding and conceptualisations: Language and Cryptology, 

2. Demarcations: Whose point of view to take, and Taking account of the 
environment, 

3. Definitions: Information or data, IT security criteria, and Confidentiality, 
integrity, and availability, and 

4. Measurements of control: Measurements of security. 

However, few of the issues are unequivocal and someone else might want 
to classify them as: 

1. Understanding and conceptualisations: Confidentiality, integrity, and 
availability, Whose point of view to take, and Taking account of the 
environment, 

2. Demarcations: Measurements of security, and Information or data, 

3. Definitions: Language, and 

4. Measurements of control: IT security criteria. 

This illustrates exactly why the issues are problematic: they cannot with 
any kind of certainty be allocated into one model easily understood and 
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agreed upon even amongst involved professionals. Still, the generalised 
concept of a system can be used differently - to form a base for a subjective 
appreciation of the area which also is objectively communicative to others. 

4.1 The Systemic-Holistic Approach spelled out 

General Systems Theory had its origin in observations of similar 
phenomena existing in many different sciences. To study these 
interdisciplinary, Bertalanffy chose the concept of ‘system’. He used ‘system’ 
as an epistemological device to describe organisms as wholes, and showed 
that it could be generalised and applied to wholes of any kind. Checkland 
developed this further [Checkland 1988] in discussions on the confusion 
between what exists (the ontological entity) and what is an abstraction (the 
epistemological entity). 

Checkland’ s view is that humans can only perceive reality through a 
methodology which uses abstract concepts. While perceiving /a part of/ 
reality, humans are able to reflect on their findings - and in doing so, they 
will test and change their concepts in order to fit them better to the perceived 
reality. In this actual process of testing and changing, there is a multi- 
creating relationship between the perceived reality and the intellectual 
concepts which in fact constitutes a learning process. 

In efforts to control, humans may choose to assume that the reality is a 
system rather than could be looked upon as a system through the learning 
process. The control method used in the first case Checkland labels 
engineering or hard systems thinking, the second one systemic or soft 
systems thinking. The main underlined differences between the methods are, 
that in hard systems thinking perceived realities are treated as existing 
systems (the ontological entity) and their problems solved by systematic 
methods, while in soft systems thinking perceived realities are treated as 
problems (the epistemological entity) and solved by systemic methods. 
Through soft systems thinking, humans can learn how the concept of a 
system reflects the real world, and may represent one - and possibly 
changing - understanding of the world. Checkland does not refrain from hard 
systems thinking and engineering, rather he underlines that soft systems and 
hard systems thinking are complementary to each other. But the decision 
when to change from one to the other is a human subjective one. 

The confusion between “what seems to exists” and “what exists” has been 
labelled by Checkland as “the confusion between the images of the systems 
and the systems image” [Checkland 1988, p. 40]. By Laufer [Laufer 1985] it 
is described as the confusion between the science of nature and the science 
of culture; what is neither nature nor culture is artificial. And the science of 
the artificial is the science of systems, i.e. cybernetics. 
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Laufer offers one more explanation of importance to the security area: 
the main reason for the confusion between what is nature and what is culture 
is that the ultimate locus of control is undecided. This generates an on-going 
crisis with two distinct states. Either the problem is very simplistic and 
implies a great number of similar events; in that case a manager can predict 
future states of the system and is confronted with the relatively safe risk of 
controlling the probable. Or - and more often - assumptions cannot be made 
about the similarity of future events or about their independence, and 
management is confronted with the problem of controlling the improbable. 
The results of trying to control and cope with the improbable is to control it 
symbolically; for instance through laws that authorise, commissions to deal 
with abuses or prevention, ad hoc commissions to deal with any new 
emerging problems, security norms produced by suitably composed 
com mi ssions, or public opinion through opinion polls [Laufer 1990]. 

Checkland and Laufer, following Bertalanffy and General Systems 
Theory, thus gives grounds for studying the concept of ‘system' as an 
epistemology for viewing and understanding perceived realities. The actual 
choice of when to change over to hard systems thinking becomes subjective, 
but is done consciously, and becomes a part of the conceptual model and the 
pedagogics. 

General Living Systems Theory forms the third building block to the 
concept of systems, since it deals with systems that really exist - the 
ontological entity. It offers a concrete understanding of how physical 
realities restrict theoretical models, so frequently used within IT security that 
we tend to believe that the models are the reality. 

General Living Systems Theory [Miller 1978] deals with living, concrete, 
open, homeostas aiming, systems composed of matter and energy and 
controlled by information. Matter and energy are considered in their physical 
form, and information is defined as physical markers carrying information. 
Thus a living system is composed of physical entities. Moreover, living 
systems exist on seven levels: cell, organ, organism, group, organisation, 
nation, and supranation; each level needing nineteen critical subsystems for 
its survival. Each subsystem is described through its structure and process 
and through measurable representative variables. The model is recursive on 
each level. General Living Systems Theory offers knowledge and insights on 
how to link reality to theoretical models; through understanding of physical 
realities, restrictions of the domains of different theories can be understood. 

Sequentially - because we know no other way of presenting material - the 
Systemic-Holistic Approach starts with General Systems Theory and 
Cybernetics which presents the foundations of the epistemology, the way to 
understand and learn. It is interleaved with adequate, contemporary IT 
security examples. 
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It is further developed along General Living Systems Theory, 
exemplifying for instance the following citation from [Hofstadter 1979, p. 
686] elaborating on the issue “Do words and thought follow formal rules?”: 
the ultimate answer is Yes - provided that you go down to the lowest 
level - the hardware - to find the mles ... neurons run in the same simple way 
the whole time. You can’t “think” your neurons into running some non neural 
way, although you can make your mind change style or subject of thoughts 
... Software mles on various levels can change; hardware cannot - in fact, to 
their rigidity is due the software’s flexibility!”. 

It also sheds some lights into some obvious reasons to IT security 
problems [Hoffman 1992, p. 4]: 

“The traditional and widespread von Neumann architecture is 
inappropriate for systems shared by a large number of users, not all of whom 
tmst each other ... The technical communities will have to produce changes 
in the basic architecture of personal computers to avoid the threat of 
expensive product liability suits”. 

General Systems Theory makes it possible to define and investigate 
systems and their phenomena free from any biases than that of the concept 
itself. This way paradigms, values, and other related entities can be explicitly 
defined and discussed in context. 

None of the presented theories give absolute criteria as when to change 
from an epistemological to an ontological treatment to reach security - 
rather, this is directed to be performed in interaction with the phenomena 
themselves. It becomes a /subjective/ assessment based on a specific domain 
of action, a context. But together they indicate how to organise 
conceptualisations for establishing continuous learning processes in IT 
security: always to question if “facts” really can be considered as such, and 
always try to confront facts with context, even different contexts. This may 
also be a suitable mode governing the design, operation, management, and 
evaluation of secure IT structures. 

The conceptual model, called the Systemic-Holistic Model, is very 
simple; it consists of a three dimensional framework and a Systemic Module 
as shown in Figures 1. 

The framework describes the areas of interest while the Systemic Module 
acts as an epistemological device for “facts” in the framework. The 
framework is organised into three dimensions: Content/subject areas, Levels 
of abstraction, and Context orientation. The Systemic Module presents 
foundations of General Systems Theory and Cybernetics, Soft System 
Methodology and General Living Systems Theory. Through these, security 
as the concept of control and communication, can be defined, investigated, 
and explained on a level free from any other biases than the system concept 
itself. This meta knowledge may then be applied at any level of the three 
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dimensions of the framework; each practical interpretation may thus be 
viewed as an instance of subject area, level of abstraction and context. 

The Systemic Module and the framework is viewed as a system with the 
potential to be viable in the sense of [Beer 1979]: in order to establish a 
control system that will grant viability to a system, three levels need to be 
analysed: the system itself (system in focus), its environment (the meta 
system) and the level below the system in focus. Together the three 
dimensions may be referred to as Beer’s three levels of analysis, and the 
analysis is eventually also applicable recursively in the dimensions 
separately. 



Abstraction level 




Systemic module 

- an epistemological device 

- meta-science, and 

- criteria for control 



Figure 1. Details of the framework and the methodology for Security Informatics - the 
Systemic-Holistic Model 

4.2 Some critique of the SHA for researching IT security 

The most fundamental critique lays with the subjectivity; when a physical 
person has to decide to change from epistemology to ontology, from 
systemic/problematic to systematic/hard science. But this, to my 
understanding, is connected with what efforts we want to make: if we can 
deal only with one side of the problem, we can use scientific methods proved 
for these problems, if we want to deal with realities including systems, 
applications, people, etc in various roles we need a bridging science, such as 
the SHA approach. Other authors, for instance Fillery-James (1999) Siponen 
(2003) and Truex et al (1999) have presented similar approaches. The 
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(2003) and Truex et al (1999) have presented similar approaches. The 
approach as such may very well be further developed, there are indications 
that a totally new scientific base, which can bridge the areas of both hard- 
och soft sciences based on second order cybernetics is under way (Kjellman 
2003,2001).The particular approach is called the Subject-oriented Approach 
to Knowledge, SOA, and has many resemblances with the SHA. 
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Abstract: The Information Security is one of the fastest growing research areas in the 

field of Computer science and Information Technology/Systems. However, if 
research into security is to be successful, then researchers’ mindsets have to 
match and exceed those who engage in intmsive, unlawful and unethical 
activities in the field of Information Systems and Technology. Security 
Professionals and for that matter those engaged in research and security 
product/service development need to be able to ‘think like the criminals but 
not act like them'. Such a task is extremely difficult because unlike 
criminals/terrorists. Security Professionals thinking is highly conditioned by 
regulations, law, rules, procedures, documentation, policies, values ethics, and 
concern for the consequences of undesirable action on those affected. There is 
of course the danger that if you follow the criminal ways of thinking then you 
may become tempted to follow their behavior eventually. So, how can the 
mindsets be trained to enable Security Professionals to think freely without 
necessarily having to go through experience based learning! How can we 
develop doctoral programs that specifically target the development of the 
conceptual mindsets of the researchers! What specific sets of concepts will be 
useful for addressing these issues! These are questions that will be addressed 
in this paper. 



Key words: IT security education, doctoral programs. 
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1. INTRODUCTION 

Criminals and Terrorists’ mindsets are guided by misplaced creativity 
and innovation. That creativity comes naturally to them as they consciously 
or unconsciously decide to take no regal'd for procedures policies, 
regulations, rules, the law or concerns for others while those who abide by 
those behavioral guidelines are constrained in their thinking. This creates a 
huge disadvantage for Security Personnel as they are forever engaged in 
detection and recovery as their primary mode of learning. Some alternative 
ways of thinking have to be encouraged among Security Professionals. 
Doctoral programs that plan to develop Security Professionals skills need to 
deliberate target the development of their conceptual mindsets if they are to 
prepare them for the difficult tasks of preventing, detecting and recovering 
aspects of socially valued legal activities. This is a task that has been 
undertaken by the use of ‘Systems’ philosophy and concepts (Ackoff 1971) 
for many years. 

‘Systems’ are simply an holistic way of understanding real world 
phenomena. Systems concepts help to focus people’s minds on the 
interconnections of parts before the study of the individual parts. In essence, 
systems concepts help us to understand the nature of the interconnections 
required to achieve the outcome and behavior of an entity (Ackoff 1972). 
Systems concepts and philosophy have been around for thousands of years. 
For example the systems phrase ‘A whole is greater than the sum of its parts’ 
has been attributed to Aristotle. These concepts were revived in the 60s to 
help address the much required integrative aspects of knowledge, skills, and 
the design/development of objects, products and services (Katz and Khan 
1966). If so what new paradigmatic shift is necessary for those engaged in 
doctoral research into information security issues? 

Systems concepts that are discussed in the literature and applied in 
practice since the 60s take what Checkland (1999) defines as a ‘hard’ 
systems view (Katz and Rosenzwig 1970). That is those who use ‘systems’ 
in this sense take the world to contain ‘systems’ i.e. ‘taken-as-given’ systems 
- see Checkland for a rich account of the shift from Science to Systems way 
of thinking in problem solving. In this way researchers and practitioners 
have been able to take a much wider and holistic view of the situations than 
before and develop better and more effective solutions that focus on 
integration to produce the desirable results. The use of systems notions in 
this way of thinking is to describe the world in systems terms e.g. education 
systems, transport systems, security systems. We name this as the use of 
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‘systems’ in ontological mode meaning that knowledge about systems are 
not subject to question. 

The paradigmatic shift that is advocated in this paper is one of mode 
rather than the nature of the concepts. We name this new paradigm shift as 
‘systems epistemology’. In this mode Checkland (1999) considers the 
enquiry of the world to be assisted by ‘systems’ notions rather than consider 
the world itself as consisting of systems. He classifies this as ‘soft’ systems 
thinking. In arguing for this richer and a more powerful mode of enquiry, 
Checkland (1999, All) conceives the enquirer’s role as one of ‘I spy 
complexity and confusion; but I can organize exploration of it as a learning 
system’. Churchman (1971) in his famous book on ‘The Design ofEnquiring 
Systems’ also illustrated similar mode of enquiry of the world using different 
philosophical notions each of which yields a different perception of reality. 
Vickers (1968) called this mode of thinking as ‘Appreciative Systems’. 
These are schemata formed within the mindsets that help to make sense of 
some part of reality but not others. 

‘ Whatever the mind can represent to itself, from a cow 
to a contract, from a law of nature to a legal principle, is 
recognized by applying schemata - “readiness to see” 
which are themselves developed or restricted, confirmed 
or confused, elaborated or simplified, by further 

use This circular process, which contains the real 

answer to all conundrums of “hen-and-egg” type, is 
ubiquitous through the whole range of learning. It is the 
commonest fact of life - and the first foundation for a 
scientific epistemology’ (Vickers 1968, pl93- 194). 

All three authors have been frying to shift enquirers’ attention away from 
things-out-there in the world to thinking about the ways of conceptualizing 
meaning of the things-out-there and discuss the nature of the frames of 
references for use in that structuring processes. 

Let’s contrast these two different modes of using the same ‘systemic’ 
concepts in order to appreciate the power of the paradigm shift for doctoral 
education. 
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Ontological Mode 

Attention is to discover the 
‘system’ out there in the world to 
be modeled and changed. 
Systems have existence without 
us and can therefore be named 
and observed. 

The process of boundary 
construction is implicit or 
unconscious. Because of this any 
changes that are undertaken to 
boundary position tends to be 
either defended as a challenge to 
personal status or position or 
accepted as part of political 
process of accommodation. 

Select phenomena in the world to 
match the ‘systems’ 

characteristics that are carried in 
the mind set. 

Locked into the ‘systems’ 
boundary. The boundary 
separates the system and its 
environment and therefore the 
enquirer’s attention is on those 
inputs and outputs that cross the 
boundary. 

Focus is on the re-arrangement 
and the modification of the 
systems’ content. The boundary 
is not open to question. 



Epistemological Mode 

Attention is to question ‘Why I 
should consider the chosen set of 
observed phenomena as a 
‘system’? Systems don’t have no 
existence without an observer. 



The process of boundary 
construction is explicit or 
conscious. Questions to the 
boundary position is encouraged 
and pursued. The wish is to ensure 
that the boundary position is 
relevant and useful and the interest 
is to discover the rationale for the 
views. 

Evaluate the phenomena in the 
world for their potential for 
inclusion in the modeling using 
‘systems’ ideas. 

Since the boundary is an artificial 
construct, a system and its 
environment construction are 
subjective. The inputs and outputs 
will depend on the boundary 
position. 

Focus is on the relevance of the 
chosen boundary and its systems’ 
context. Question is whether 
relevant elements have been 
included. 
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Ontological Mode continued 

In general, the mapping of 
‘systems' is a one-off activity. 
This is confirmed by the phrases 
‘I found the system', ‘the system 
is’, ‘the problem with the 
system', ‘I designed the system’, 
etc. 

Since the system is established, 
any subsequent questions that 
challenge the boundary of the 
system are rejected. Questions 
are seen as a challenge to 
authority, status and position. 
The reactions are expressed by 
emotional rejection or as political 
denial. 

Skills used are for the 
transformation of the content of 
the system. Enquirers are pre- 
occupied with re-design or 
construction. 



Epistemological Mode continued 

In general, the mapping is a 
continuous set of activities. There 
is never the system as it is an 
artificial selection of a set of 
related phenomena for exploration. 



Since the relevance and validity of 
a system is never established, there 
is continuous seeking of 
information to confirm the status of 
its relevance. Neither emotions nor 
politics have a part to play in this 
mode of logical analysis. 



Skills used are for the examination 
of the context of the chosen 
‘system’. Enquirers are interested 
in establishing the justification for 
the design. 



2. EPISTEMOLOGICAL AND ONTOLOGICAL 
MODES OE THINKING AND SECURITY 

In the epistemological mode of thinking, there are no absolute ‘systems’ 
in the world. What may exist is a selected sets of perceptions about the world 
which we may justify as ‘systems' using a set of systemic characteristics as 
the basis for making that selection. In that sense, the choice of ‘systems' is a 
deliberate and a conscious intellectual activity (Jayaratna 1994). This means 
that ‘systems' has no existence outside the observer/enquirer. Since 
‘systems’ do not exist without an enquirer then it makes sense to concentrate 
more on the role of ‘systems’ on the mindset of the Security Personnel than 
on the technology, objects or physical aspects of security issues. This is the 
same philosophy that has been used for underpinning the design of the 
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Masters Program in Internet Security Management curriculum (Armstrong 
and Jayaratna 2002). 

As discussed earlier, criminals naturally think outside the box while we, 
through our childhood training, secondary and university education and 
work experience together with other conditioning factors such as values, 
procedures, policies, law, regulations, values, ethics and our concern for 
others of our actions tend to think within strong boundaries. These 
boundaries constrain our ability to become creative and innovative. Since it 
is difficult and also raises ethical and value issues for learning to think like a 
criminal, we have to find other ways of freeing the minds of the Security 
personnel. We believe that the same level and ways of learning to think can 
be achieved through the use of epistemological notions of ‘systems’ as 
discussed in Checkland (1981), Churchman (1971) and Vickers (1968). This 
way of conceptualizing security breaches across boundaries, free the 
researchers to think of security boundaries as artificially constructed devices 
that could be placed anywhere, not necessarily at the level physical layout of 
buildings, hardware networks, groups etc. Equally the freedom, to construct 
‘systems' in their mindsets, enables doctoral students to be more creative 
and innovative in their research. They are better able to organize the 
knowledge thus gained. As Checkland humorously puts it ‘A cat can be 
considered as part of a mouse eliminating system'. Indeed it can also be 
considered as part of: a home entertainment system; a friendship network 
system; affectionate generating system; or a child substitution system. 
Pursued in this way, doctoral students are able to pursue their methods of 
enquiry and solutions in many novel ways. 

The conceptual closure of a ‘system' from its environment does not 
necessarily insulate us from the observed or non-observed phenomena in the 
world. The boundary is artificial and therefore is permeable and that is the 
reason why the enquirer needs to become open on a continuous basis for 
external feed back and information that help them to adjust or shift those 
boundaries. This ability to conceptualise and re-conceptualise systems 
boundaries is critical for Security Personnel thinking processes as they have 
to continuously match or anticipate the actions of the criminals/terrorists. 

For example, the ontological mode of systems thinking makes the 
Security Personnel focus on inputs and outputs at fixed points e.g. entry to 
the building, network access, while the epistemological mode of ‘systems’ 
thinking enables them to draw boundaries anywhere and at any level. Each 
re-drawing will highlight a different set of security related inputs and 
outputs. 
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Doctoral programs that are intended to generate knowledge for industry 
use therefore need to include the preparation of the intellectual mindset of 
their students to a very high and deep level. Students need to be exposed to 
many different philosophical ways of understanding phenomena. Most 
essentially, they need to develop ways of conceptualizing and re- 
conceptualizing. Epistemological mode of “systems' thinking help such a 
development to take place in a very effective way. 



3. CONCLUSION 

Cri mi nals and terrorists have very creative and innovative mindsets. It is 
their actions that are highly misplaced. Security Personnel who have to 
match or anticipate such actions need to have equally deep levels of 
creativity and innovation but currently they are constrained in their thinking 
because of the rules, regulations, laws, policies, procedures, documentation, 
values, ethics and concern for others. If Security Personnel have to be 
effective then they need to ‘th in k like a criminal but not act like one'. 
Doctoral programs that are targeted at the reasoning processes of Security 
Personnel need to raise the conceptual abilities and capacity of their 
students. This paper discussed the new paradigm shift that has to be achieved 
using ‘epistemological mode of ‘systems' that can achieve the shift. 
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Abstract: Highly qualified personnel training is one of the priority national tasks in the 

field of education, which is aimed at supporting the specified level of the 
personnel potential for fulfilling scientific research and teaching in the system 
of higher education. Extensive experience in that field has been accumulated 
in Russia. The general organizational requirements of the existing Russian 
system as a whole, as well as intensional peculiarities of candidate and doctor 
of sciences in scientific specialties’ related to information protection and 
information security training are posed in this report. 

Key words: highly qualified personnel training, security education, information security, 

thesis requirements, Russia 



1. THE SYSTEM OF HIGHLY QUALIFIED 
PERSONNEL TRAINING IN RUSSIA 

The process of highly qualified personnel training is carried out in large 
research institutions, leading universities and other institutions of higher 
education. The basis of training is formed by the system of state certification 
which is organized by the social-state authority, namely Higher certification 
committee of the Russian Federation (HCC of Russia), operating at the 
Ministry of Education of the Russian Federation. The HCC of Russia issues 
normative documents regulating activities in the considered field of 
educational services, creates social boards carrying out the main certification 
procedures, and adopts final decisions on giving the corresponding 
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qualification to candidates. 

Russian system of certification is based on the two-stage technology of 
giving qualifications by results of successful defense of scientific- 
qualification grace papers (theses): “candidate of science” (the first stage) or 
“doctor of science” (the second stage). To pass the second stage it is 
obligatory to defend the candidate of science grace thesis first. 

According to the HCC of Russia a candidate's thesis should either 
include a solution of an essential problem in the given area of knowledge or 
state scientifically founded technical, economical or technological 
innovations having vital importance for the country’s economy. 

Doctor thesis should include either results of scientific research a 
collection of which could be qualified as a new scientific achievement, or 
solution of a big scientific problem having significant social-cultural or 
economic significance, or state scientifically founded technical, economical 
or technological solutions whose implementation would bring an important 
contribution to country's economy development. 

An obligatory condition of presenting a candidate of science grace thesis 
is successful sitting for at least the following three examinations: scientific 
specialty, philosophy, and foreign language. 

As a rule, highly qualified personnel training, involving realization of 
specific scientific-research work, education, and sitting for disciplinary 
examinations similar to the candidate level, is carried out by including 
candidates in post-graduate studies founded at leading scientific institutions, 
universities and other educational-scientific centers. Duration of post- 
graduate studies is three years internally and four years without isolation 
from the main job (by correspondence course). State budget form of training 
at the expense of state financial support and contract form of training at the 
expense of candidate's funds are distinguished depending on the method of 
payment. Carrying out post-graduate student training, being one of the forms 
of educational services, requires obtaining a license from the Ministry of 
Education of Russia. 

Each thesis is implemented within a definite scientific field whose list 
totals 25 titles. For example, in the field of information security it could be 
physico-mathematical sciences, technical sciences, and legal sciences. These 
titles are accordingly added to the scientific degree (e.g. candidate of 
technical sciences, doctor of physico-mathematical sciences). 



2. THESIS REQUIREMENTS 

The HCC of Russia determined that a person competing for a candidate 
or doctor scientific degree should hand in his thesis to the corresponding 
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board in the form of a specially prepared typescript or a published 
monograph. 

The thesis should be written by the author himself, include a collection of 
new scientific results and statements proposed by the candidate for the 
public defense, have inner uniformity and be evidence of the author’s 
personal contribution to science. 

The new proposed by the author solutions should be consistently argued 
and critically evaluated in comparison with other known solutions. 

A thesis having applied significance should include information about 
practical use of scientific results obtained by the author, whereas in a thesis 
having theoretical significance - recommendations for use of scientific 
conclusions. 

The main scientific results of a thesis should be published in scientific 
editions recommended by the HCC of Russia. 



3. HIGHLY QUALIFIED PERSONNEL TRAINING 
IN THE FIELD OF INFORMATION SECURITY 

There is only one specialty related to information security in the list of 
scientific specialties approved at the level of public administration 
authorities: “Methods and systems of information protection, information 
security”. That specialty requirements are formulated in the so called 
“specialty passport”. That document approved by the HCC of Russia 
establishes the list of problems which should be solved by the candidate in 
his scientific research corresponding to this specialty, determines the role 
(significance) of the specialty, indicates the fields of science to which 
belongs the specialty, and defines its place among other specialties. 

Scientific research dealing with the problems of analysis, development, 
use and perfection of methods and means of information protection in the 
process of its gathering, storage, processing, transfer, and distribution as well 
as technical, organizational, and legal support of state, community and 
personality information security relate to the considered specialty “Methods 
and systems of information protection, information security”. 

Scientific research within that specialty should be important for solving 
methodical, scientific-technical and organizational-legal problems on the 
basis of design of new and development of existing methods and means of 
information protection to ensure information security of technical, social- 
economical, biological and other systems of any kind and different areas of 
application, to perfect and develop the corresponding legal regulation as well 
as forms and methods of confrontation with violations in the informational 
realm. 
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Here is a list of fields of research which may be carried out within the 

concerned specialty: 

- analysis of fundamental problems of information security in the process 
of formation of modern informational society, providing the balance of 
personal, social and governmental interests in the informational area; 

- methods, models and means research and development for detection, 
identification and classification of threats of information security 
violation of objects of different kinds and classes; 

- analysis and scientific reasoning of public and local authorities’ main 
lines of activities in providing the information security of the Russian 
Federation, including development and perfection of monitoring system 
of the Russian Federation’s information security status; 

- study and prediction of consequences of modem information 
technologies incorporation and wide proliferation, including development 
of personality and society informational-psychological security methods 
and models; 

- scientific reasoning and development of organizational- legal mechanisms 
for securing constitutional rights and freedoms of citizens in the 
informational area, with these rights and freedoms regulating creation 
and use of informational resources, means of information protection, 
assessment, standardization, information and informational resources 
quality certification and control, high-technology area crimes prevention 
and investigation, federal, subjects’ of the Russian Federation and local 
authorities cooperation in the informational area, countries’ cooperation 
for providing collective information security; 

- protectability analysis of information circulating in the various existing 
systems of documents circulation. Development of methods and means 
of information protection in the systems of electronic documents 
circulation including cases of use of digital signatures and other 
cryptographic methods and means for providing electronic payment and 
electronic commerce systems’ information integrity; 

- design of measures and mechanisms for information security policy 
formation and support for objects of all hierarchy levels of different 
control systems; 

- development of general theory of information security and information 
protection with various technical, organizational and legal methods and 
means including foundations and project solutions (technical, 
mathematical, organizational, legal, etc.) for prospective means of 
information protection and information security creation; 

- analysis and risk management, evaluation of possible damage as a result 
of information security breach, and vulnerabilities of systems of any kind 
and field of application including models and methods of evaluation of 
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information protectability and information security of objects of various 
classes, information security systems’ and complexes’ efficiency; 

- development of theory of conflict functioning of informational- 
telecommunicational systems (ITCS) of any kind and field of application; 

- research of new physical processes and effects allowing to increase the 
ITCS security; 

- development of technologies of ITCS users’ and subjects’ identification 
and authentication, access control, antivirus and ITCS destructive 
software influence protection; 

- creation of computational systems, models, methods and means of 
providing stability and protection for data object, database and metadata 
creation at various stages of their lifecycle. Research and development of 
methods and means for protecting ITCS data and knowledge bases; 

- synthesis of integrated ITCS information security systems including 
means of automated design targeted at their security increase; 

- research and development of models, methods and means (complexes) of 
passive and active information counteraction to information security 
threats in networks, including such open networks as the Internet, 
providing inner audit and monitoring of status of ITCS being under the 
influence of information security threats, ITCS information security 
management; 

- research and creation of models of technical covert channels, design of 
the corresponding counteraction means. Development of methodology of 
technical information protection for objects of any kind and field of 
application; 

- design of methods and systems of technical information protection 
including the necessary algorithmic support, analysis and synthesis of 
analogous and digital signal processing means for the sake of objects’ 
information security; 

- creation of quantitative methods and models of legal and normative base 
analysis and evaluation. Research of offense dynamics, development of 
forms and methods of crime control in the field of information security 
and information protection. 



4. HIGHLY QUALIFIED PERSONNEL TRAINING 
EXPERIENCE IN MEPHI 

Highly qualified personnel training in the field of information security 
has been launched in the Moscow Engineering Physics Institute (State 
University) (MEPhI). Post graduate courses in specialty “Methods and 
systems of information protection, information security” and a board for 
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candidate and doctoral thesis protection in two fields of science - technical 
and legal - are available in the university. In future it is planned to broaden 
the board privileges by adding the physico-mathematical sciences branch. 
The post graduate studies are attended by graduate students of the MEPhl's 
Information Security Faculty, who successfully finished the full educational 
course and obtained the higher education in the specialty “Complex 
maintenance of automated system information security” or “Jurisprudence”. 

Other theses prepared in different scientific and educational centers 
lacking dissertation boards are also accepted for defense. 

A list of several theses’ topics defended recently is given as an example 
in the conclusion: 

1 . Research and development of algorithms of secure information access 
in data storage networks. 

2. Research of information protection means’ trustworthiness in 
automated systems of depository services. 

3. Development of algorithms for software cryptographic transforms’ 
modeling and analysis. 

4. Research and development of design methods of complex object 
security systems. 
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Abstract: This paper compares and contrasts the curricula of a PhD and a Doctor 

of IT programs in IT Security offered by the School of Computer and 
Information Science of the University of South Australia 
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1. RELATIONSHIP BETWEEN TITLE AND 

NATURE OF OUR DOCTORAL PROGRAMS 

In the Australian government university system, titles of doctoral 
programs are very specific. In a technical program in IT Security, the choice 
of a Doctor of Philosophy (PhD) which is a research doctorate and a Doctor 
of IT (DIT) which is a Professional doctorate which would need to contain 
one-third coursework and two-thirds research are available 



2. TYPES OF PROGRAM 

Currently offer both the PhD and DIT are offered. The PhD is a long- 
established research program in a wide range of computer science and IT 
sub-fields. The DIT is a new program, designed in conjunction with our 
own local defence-focussed industries and the first students are yet to be 
enrolled 
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The D1T is a structured research degree. The DIT degree is differentiated 

from the Ph.D. by the following features: 

• The structured program of research induction and, most notably, the 
focus on applied research which differs from the structured program 
currently operating within the Divisional Ph.D. induction, in its theory 
and focus on methodology. It is designed to cater to the needs of a 
graduate student cohort configured as mainly, although not totally, part 
time, and with a study focus that complements their work. 

• The provision of opportunities for professionals to update their academic 
knowledge in the latest theory and methodologies within their fields. 

The research induction focuses on applied Information Technology 
Security research, attending to how current industry issues can be 
conceptualised and examined from within the most recent theoretical 
concepts and methodological practices arising in our discipline, and then 
applied to our current IT Security practice. 

• The provision of an extended study semester, to meet the needs of 
working professionals. The program will be delivered through a mix of 
intensive summer and winter schools, and face-to-face and online 
se mi nar groups and supervision sessions, over a 6 month rather than a 3 
month semester. This will enable students to work at a depth and at a 
pace which will accommodate the demands of their working lives. 



4. DURATION WHEN UNDERTAKEN AS A FULL- 
TIME PROGRAM 

Both the DIT and PhD are 3 year full-time programs but the DIT is 
designed to be studied part-time by practicing professionals. 



5. ENTRANCE REQUIREMENTS 

Both the DIT and PhD require a student to possess at least an upper 
second class honours degree (characterised by at least one semester of 
research) or an equivalent masters degree. The DIT also requires five years 
of appropriate industry experience. The undergraduate qualification is 
expected to be in Computer Science, Computer Systems Engineering and 
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possibly in Information Systems. Undergraduate studies would not have 
necessarily included any coursework focussing primarily on IT or IS security 



6 . PROGRAM STRUCTURE 

The PhD consists solely of three years of research. The research question 
and research agenda are determined by the Principal Supervisor and the 
student. While some learning support is available in research methods and 
thesis writing, primary, and sometimes total, input comes from the 
supervisor and, possibly, his or her research group 

The DIT has the following structure 



FIRST YEAR 


SECOND YEAR 


THIRD YEAR 


Semester 1 


Semester 1 


Semester 1 


Research Practice 


Information 


Information 


Professional 


Technology Thesis 1 


Technology Thesis 1 


Seminar 1 


Semester 2 


Semester 2 


Elective 


Information 


Information 


Elective 
Semester 2 
Professional 
Seminar 2 
Elective 
Elective 
Elective 


Technology Thesis 2 


Technology Thesis 2 



The only core modules are the Professional seminar and Research 
Practice 

The Electives will be developed out of the Supervisor and research lab 
directors' current research interest and direction. In our case Electives will 
be taken from: 

• Security Architectures 

• E-Commerce Security 

• Ad-hoc wireless network security 

• Forensic Computing 
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• Information warfare 

Also other electives could be taken (eg in advanced databases) if some 
correlation between that and the student’s potential thesis could be 
established 



7. RECOGNITION OF PRIOR LEARNING 

The PhD program does not allow for any recognition of prior learning 
but the DIT program permits credit for prior learning in exceptional cases 
when the applicant is able to demonstrate that the prior learning is the 
equivalent to the core courses in the program. However, exemption will not 
be granted for the thesis component or for research seminars. 



8. REQUIRED SIZE AND NATURE OF RESEARCH 
PROJECT 

A PhD thesis is typically 100,000 words whereas a DIT thesis can be 
between 30 and 50, 00 words. The PhD project focuses on creating new 
knowledge while a DIT thesis may be of a more applied nature and directed 
primarily at an industry focussed applied research issue. 



9. INTERNATIONAL STANDARDS TO BE 
CONSIDERED 

As with other universities in Australia, the University of South Australia 
tends to focus primarily on ACM and IEEE for international benchmarking 



10. POTENTIAL FUNDING SOURCES, INDUSTRY 
PARTNERS AND SCHOLARSHIPS FOR 
RESEARCH PROJECTS 

Our government supplies scholarships for most Australian citizens with 
1 st class honours degrees or equivalent coursework masters degrees. 
Government funded cooperative research centres can also supply “top-up” 
funding for students and some hardware, software and “in-kind” support. 
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Our local situation with respect to industry collaboration and co- 
operation is good and projects are supplied by software and hardware 
companies such as Motorola and Tenix, by our State and Federal Police 
Departments and by the Defence Science and Technology Organisation, as 
well as smaller players. 



11. POSSIBLE AREAS OF CURRICULUM 
SPECIALIZATION YOUR 

ORGANIZATION/INSTITUTION MAY BE ABLE 
TO PROVIDE AS A PARTICIPATING PARTNER 

The University of South Australia would be able to contribute in areas of: 

• Information Security Management- especially cultural issues 

• Security Architectures 

• Ad-hoc wireless network security 

• Forensic Computing 

• Information Warfare 



12. ANY OTHER INFORMATION RELEVANT TO 
THE PROGRAM 

The university has a holistic focus and tends now to want to develop an 
integrated skill set in researchers. University documentation states a research 
student 

1. has an understanding of current research-based knowledge in the 
field, its methodologies for creating new knowledge, and can 
create, critique, and appraise new and significant knowledge. 

2. is prepared for lifelong learning in pursuit of ongoing personal 
development and excellence in research within and beyond a 
discipline or professional area. 

3. is an effective problem solver, capable of applying logical, critical 
and creative thinking to a range of research problems. 

4. can work both autonomously and collaboratively as a researcher 
within a particular discipline or professional area and within wider 
but related areas. 
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5. is committed to ethical action and social responsibility as a 
researcher in a discipline or professional area and as a leading 
citizen. 

6. communicates effectively as a researcher in a discipline or 
professional area and as a leading member of the community. 

7. demonstrates international perspectives in research in a discipline 
or professional area and as a leading citizen. 

Research supervisors, in taking on the supervision take are 
acknowledging that they “guarantee to the academic and professional 
sectors that our research degree postgraduates have already engaged in 
original research in order to solve significant problems, that in doing so they 
have learned how to work autonomously and collaboratively, that they have 
set up lifelong learning patterns and networks, that they have been 
effectively able to communicate their research findings, that they have 
performed research in an ethical manner and they have introduced 
international perspectives into their research.” [1] 



They are required to assess my postgraduate students against this generic 
framework and this might be adapted to the IT Security context to give us a 
set of criteria against which to measure the effectiveness of an IT Security 
postgraduate, and potential long-term researcher. 
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1. INTRODUCTION 

The purpose of this paper is to present the doctoral programme of study 
on information and communication systems security at the University of the 
Aegean, in Samos, Greece, in order to contribute to the discussion within 
IFTP WG 11.8 towards the definition of an international doctorate 
programme in the field. 

The doctoral programme of study on information and communication 
systems security at the University of the Aegean is a research doctorate 
programme, which has been offered since the initial operation of the 
Department in 1998 and is still being offered. 
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2. PROGRAMME AIMS AND OBJECTIVES 

The main objectives of the doctoral programme are: 

• To give all interested students the opportunity to take advantage of the 
results of the joint effort of several Universities worldwide to develop a 
modular - but integrated - doctoral Programme in the areas of 
Information and Communication Systems Security. 

• To further support the establishment of a wide, international network of 
experts who teach, consult and conduct research in the fields of 
information and communication systems security, as well as the closely 
related fields of dependability and safety. 

• To support, enhance, stimulate and utilise the mobility of University 
students, researchers and teaching staff among different European Union 
Member States. 

• To provide interested industrial and governmental institutions and bodies 
with a unique point of contact and co-operation with several centers of 
excellence in research on information and communication systems 
security, with a real European flavour. 



3. DURATION, ADMISSION AND DEGREE 
REQUIREMENTS 

The duration of the program, when undertaken as a full-time program 
varies with several factors, such as, for example, the entrance actual 
qualifications, the student’s actual research capabilities etc.; the duration can 
vary between a minimum of 3 years and a maximum of 6 years. 

For admission to the programme, an M.Sc. in Information Systems, 
Communications, Informatics, Engineering, Sciences or Business 
Administration is required. An M.Sc. in Information and Communication 
Systems Security is highly desirable. 

Formally, the sole doctoral degree requirement is the successful defense 
of the doctoral thesis before the jury. There is no formal requirement for 
having completed a specific number of course credits, nor for having 
undertaken any coursework, as in all Greek Universities. However, doctoral 
students that do not hold an M.Sc. in Information and Communication 
Systems Security are strongly advised to attend as many M.Sc. courses as 
possible, during the course of their doctoral study. 
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4. COURSES 

The following courses are offered in the winter semester (in parentheses 
the subjects covered): Cryptography I (Introduction; Mathematical 

background: Probability theory. Information theory, Complexity theory, 
Number theory, Algebra, Finite fields; Crypto services; User authentication; 
Data authentication; Data integrity; Data origin authentication; Non- 
repudiation of origin; Data confidentiality; Basic cryptographic principles; 
Cryptography; Symmetric and asymmetric systems; Principles of 
authentication; One-way functions and hash functions; Message 
authentication codes; Digital signatures; Crypto protocols; User 
authentication protocols; Key management protocols), Network Security I 
(The necessity for network security; Attack types; Basic network security 
concepts; Technologies and services offered by Certification Service 
Providers and PKI; Case studies; Security architecture in the ISO/OSI 
model; Threats; Services and mechanisms; The Internet security 
architecture; Security protocols at the Internet layer; Security protocols at the 
transport layer; Security protocols at the application layer; Security protocols 
above the application layer; Applications, Firewalls; Censorship and context- 
dependent access control technologies; Privacy enhancing technologies: 
Anonymous Browsing, Anonymous Publishing), Database Systems Security 
(Database systems architecture; Database models; confidentiality and 
integrity; security services; authorization; access control, auditing; database 
security examples; security in SQL environments, secure multilayer 
databases; privacy protection in databases; logical inferencing; security in 
object-oriented databases; security in distributed databases; security in 
federated databases; security in data mining systems; Medical database 
security; case studies: Oracle RDBMS etc.), Crypto algorithms 

implementation techniques (Implementing crypto algorithms in software and 
in hardware; Secure systems design; Java security and Java crypto 
extensions; Security token technology: Smartcards; Case studies). The 
following courses are offered in the spring semester: Cryptography II 
(Modular arithmetic; discrete logarithms; prime factoring; P, NP, NP- 
complete problems; probabilistic polynomial time algorithms; next-bit 
checks, random cryptography; zero-knowledge protocols; obvious transfer. 
LFSRs: shift registers, m-sequences, linear equivalence, Berlekamp-Masey; 
Shannon Theory: Entropy, probability, random ciphers, perfect secrecy; 
Combinatorics: authentication, thresholds schemes, secret sharing schemes, 
key distribution; Design criteria: Non-linearity, correlation properties, 
Boolean functions, discrete Fourier transform; crypto algorithms evaluation; 
identification, authentication and digital signature schemes), Network 
Security II (Generalised application layer security systems; Distributed 




156 



Sokratis K. Katsikas 



authentication systems: Kerberos, SESAME; Network management security: 
Network management services in OSI networks and in the Internet model: 
SNMP, CMIP/TMN, JMX; Mobile code security models: Java, ActiveX, 
SafeTcl; Intrusion Detection Systems; Digital Rights Protection 
Technologies; Middleware security models; Financial transaction systems 
security: Electronic Cash Systems, Electronic Checks, Electronic Credit 
Card Payments, Micropayment Systems; Electronic voting systems security; 
Wireless network security: Wireless LAN and 802.11, wireless Ad hoc 
Networks and Bluetooth, wireless Handheld Devices and PDA, Smartphone; 
Crypto protocols and formal analysis and design methods: The AAPA2 
tool), Standardisation — Certification - Evaluation (Access control: ISO/EEC 
10181-3, ISO/IEC 10181-n; Security mechanism standards: Encipherment 
algorithm register (ISO/EEC 9979), block cipher mode (ISO/IEC 10116), 
cryptographic check function (ISO/EEC 9797), digital signatures (ISO/IEC 
9796), hash functions (ISO/IEC 10118), key management (ISO/EEC 11770), 
security management (ISO 17799); Evaluation criteria: TCSEC (Orange 
Book), ITSEC, US Federal Criteria, Common Criteria, Canadian CTSPEC; 
Security evaluation: ITSEM, industry standards: ECMA, Posix; Quality 
standards: ISO 9000; National and international standards in banking: key 
management, hash functions, digital signatures, data integrity mechanisms, 
PIN management etc.), Social and ethical issues (Computers and society: IT 
as a revolution and an evolution, the future with IT, knowledge and 
machines: AI, VR, user interfaces, usability and IT, issues related to the new 
work environment, change management; privacy and security oriented 
systems design; ethical issues: wotk monitoring, surveillance, social control, 
creativity issues, work transformations, quality of work and life, the new 
capitalism model; new technologies and economic development; using IT in 
politics and in elections; deontology and ethical codes; case studies: ACM, 
BCS, IEEE, IFIP; ethical issues related to hacking; IT security social impact; 
scientific, research and professional liability; Computer crime; Computing 
Forensics). 



5. THESIS 

The doctoral thesis must reflect original research work, undertaken by the 
candidate him/herself, that promotes scientific knowledge in the field. There 
is no formal requirement on the actual size of the thesis itself, but the 
average size is approximately 200 A4, single spaced, 12 font pages. 
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6. POTENTIAL FUNDING SOURCES 

The best potential source of funding for qualified students is the 
European Union, through its numerous funded research framework 
programmes. Some possibilities also may arise within national programs of 
funded research. Potential non-academic partners include the European 
industry as well as the national industry. Finally, some scholarships are 
offered, but these are limited to Greek nationals only. 



7. CONCLUSIONS 

The doctoral programme of study on information and communication 
systems security at the University of the Aegean, in Samos, Greece has been 
presented, with a view towards contributing to the discussion for the 
definition of a, international similar programme in the field. The Department 
would be very keen to cooperate with institutions of a similar standing 
towards the definition, as well as the implementation of the international 
doctorate. To this end, some possible areas of curriculum specialization that 
the Department could contribute to a possible international partnership 
include Security management, network security, legal - social - ethical 



issues. 
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1. INTRODUCTION AND BACKGROUND 

There is an obvious need to introduce minimal standards in the field of IT 
security. Today, the situation is very unfortunate in that no internationally 
accepted minimal standard for IT security knowledge exists. There however 
are national attempts, mostly following the “core body knowledge” principle 
in several countries. Curricula suggestions of ACM, IEEE, ACS and many 
other computer societies clearly recommend a minimal security education 
for all IT and IS students. With these organizations and advanced 
universities driving the development, a reasonable standard could be 
established in the leading universities of the industrialized world. The 
problem of very few tertiary educational institutions offering a specialization 
in IT security however still remains to be solved. Ambitious groups and 
institutions around the world, which the US National Information Assurance 
Training and Education Center (NIATEC) the European Erasmus/Socrates 
partnerships of universities carrying out research-oriented education in IT 
security (Katsikas & Gritzalis 2000) and the nascent cooperation in this field 
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between universities who are partners in the Australian Technology Network 
(www.atn.edu.au) indicate that the need of educational cooperation on the 
national and international is beginning to be met. The primary motivation 
behind this cooperation is easy to explain. It is becoming more and more 
difficult to cover the whole area of IT security as single educational 
institution. There are a few examples of universities that can sustain post- 
graduate programs in IT security on their own, but this is rather exceptional. 



2. WHAT ARE THE NEEDS, WHERE ARE THE 
MODELS TO FOLLOW? 

As mentioned in the introduction there are very few attempts towards the 
internationalization of IT security education, the most promising perhaps 
being the activities being developed inside the European Union. The scale of 
the projects and their resources might be considerably smaller than national 
programs, but their conception is truly international. Successful cooperation 
on curriculum design, joint development of course content, development of a 
credit transfer system that works across several countries, and the exchange 
of staff and students have amply demonstrated that this cooperation is 
possible. When comparing these initiatives with work that is planned or 
already carried out on the national level in the US and Australia, it becomes 
obvious that the intentions of these activities are very similar. 

The major motivation is to as quickly as possible spread new knowledge 
and develop the next generation of IT security experts, which, due to the 
developing threats, must be far larger than the comparatively small group we 
have today (see the efforts of the IPICS programs). With probably the only 
exception being defense, all sectors are coping very badly with the effects of 
attacks and the need to rethink their approach to systems design, 
implementation and operation. Government agencies and some selected 
civilian industry sectors, namely banking and finance, are starting to develop 
and implement the right responses. 

The experience of the past decade has clearly shown that while 
undergraduate education can be provided, a truly research-oriented education 
that produces the experts needed for developing tomorrow’s solutions, can, 
like in all other fields of science, only be provided in an international setting. 
That is why the few existing large-scale networks in the US and on the 
European level will determine most of the future research outcome. It is very 
specific to IT security that the success of research education is also closely 
linked to national interests. That is why truly international cooperation will 
always be somewhat limited and why currently the only tight cooperation 
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model being followed in practice is the one being applied inside the 
European Union. 



3. DEVELOPING A COMMON RESARCH AGENDA 
BACKED BY DOCTORAL LEVBEL EDUCATION 

Whatever different views on IT security the involved core players 
(governments, industry, and education) might have, the need for closer 
research and educational cooperation becomes evident when looking at the 
many different aspects of IT security. Probably no single institution can 
claim to have top experts in fields being as disparate as law, sociology, 
psychology, and business at one end and cryptography and operating system, 
network and database security at the other. That is why, especially in 
universities in the European Union, a more realistic approach was 
developed. It does admittedly add to the cost of running programs to move 
students and staff around the continent, but given the urgent need of 
networking the present and future generations of IT security experts and 
building expert teams, the return on the investment made can be expected to 
be very high. Pooling knowledge and human resources is the only way of 
meeting the future requirements. In spite of attack patterns becoming more 
and more advanced, the number of successful attacks in relation to the 
number of attacks launched has dropped steeply. This trend justifies the 
sometimes quite heavy investments made in the past and gives IT security 
experts at least some of the much needed time to breathe. 

It is at this stage important to identify possible future threats and to start 
developing respective answers. Crime trend analysis and crime development 
forecasts, as used by criminologist for many decades, seem to be an 
appropriate paradigm to work from. Combined with the monitoring of 
technology trends, this gives an indication of the sort of problems we will be 
exposed to in the coming years. A research agenda can clearly be developed 
from such a scenario, but such a scenario-based analysis can also be used to 
define the educational needs. Meeting these educational needs will in turn 
produce the experts and researchers needed to master the future challenges. 



4. MOVING TOWARDS AN INERNATIOANL 
RESEARCH EDUCATION PROGRAM 

As the arguments discussed in the previous sections have shown, the 
need for an international cooperation at the upper end of research-oriented 
education clearly exists. 
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Given that a not too small number of bureaucratic obstacles will occur 
and that acts of political will like the EU’s Bologna Declaration (Hackl 
2001) will not quickly be repeated on a worldwide level, harmonization of 
content rather than the regulation of programs is the obvious answer. 

We basically have to consider four interesting types of programs, the 
traditional research-oriented Master and PhD programs and the recently 
more and more popular professional Master and Doctoral programs. 
Cooperation in the traditional research programs is most easily established 
by appointing international colleagues as supervisors or co-supervisors and 
by allowing students to spend one term or one academic year in the middle 
of their studies at a partner institution (sandwich approach). Provided that 
there are mutual benefits and that the exchange is no one way system, this 
type of cooperation is rather easy to handle. 

The real challenge is to establish a collaboration model suitable for 
professional programs that are to a substantial extent based on coursework. 
The challenges will range from the agreement on the content of courses and 
their accreditation to their required number and the duration of the program. 
The experience with cooperating at the level of Master programs across 
several disciplines in the European Union has shown that, unless two 
institutions have very similar academic structures and programs, the cross- 
accreditation of modules or individual courses is the only sustainable 
alternative. 



5. WHAT CAN WE BUILD ON? 

Luckily enough academics around the globe can in our field build on 
having successfully cooperated in the past, be it in the organization of 
conferences, joint research projects, or staff exchange programs. As essential 
as this personal basis is, it cannot replace more institutionalized approaches. 
When left to single institutions the resulting number of different models of 
cooperation might easily lead to a chaotic situation. Building on existing 
national (NIATEC, ATN) and international networks (IFIP) therefore is the 
most promising way of moving towards an organized form of cooperation. 
Pioneering models like the Erasmus/Socrates one, which is now applied in 
approximately 30 European countries, can serve as base to start from. 

In a first step it is however essential to identify relevant national and 
international models for academic cooperation and accreditation that already 
exist and are suitable. 
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6. CONCLUSION 

National as well as international cooperation in the field of IT security 
research education is still in its infancy, but successful pioneering efforts 
made in the US, Europe and Australia are indicating that especially 
universities at the cutting edge of technology are driving towards 
establishing the necessary environment. It is only a matter of time for these 
advanced groups to join forces and establish mutually accredited research 
and professional education frameworks. With the increasing need for 
national and international cooperation in the area of cyber crime prevention 
it is definitely not a minute too early to start thinking about establishing 
educational standards to assure that experts participating in joint efforts can 
count on their partners having the right level of expertise. It is obviously 
research and development projects that will benefit first, but the positive 
impact on industry and government cannot be denied, e.g. in cyber crime 
prevention and IT forensics. 



7. RECOMMENDED RESOURCES 

NIATEC:http://cob.isu.edu/schou/niatec.htm 
NCISSE: http://www.ncisse.org 
ATN: http://www.atn.edu.au 

IPICS: http://www.tol.oulu.fl/kurssit/8 1 1 327 AdPICS2004.htm 

(Hackl 2001) Elsa Hackl, Towards a European Area of Higher Education: Change and 
Convergence in European Higher Education. EUI Working Papers, Rsc. No. 2001/09. 
European University Institute, Badia Fiesolana, 1-50016 San Domenico (FI), Italy. 

(Katsikas & Gritzalis 2000) Katsikas S., Gritzalis D. (Eds.), A proposal for a postgraduate 
programme on information and communication systems security, European Commission, 
SOCRATES & Youth TAO, Report IS-CD-4b, Athens, January 2000. 
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Abstract: The rate of technological advancement and the relative disparity of military 

power amongst many countries have fueled an oncoming revolution in 
warfare. To prepare to defend against the new emerging technology threats, 
forces must invest time and resources to develop a corps of soldiers capable of 
using and defending against advanced technology. 
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1. INTRODUCTION 

Military forces are in a state of technological transition where advances 
in robotics, artificial intelligence, high performance computing, and 
communications are setting the stage for a potential revolution in the 
conduct of war. Some might argue that the revolution has begun. 
Developing core competencies in the areas of information technology in the 
military services is critical to the establishment of policies and procedures to 
usher in new paradigms in warfare. This is increasingly important as rapidly 
advancing technologies are fueling the deployment of force multiplying 
tools without clear policy or soldier training. A revolution in warfare is 
described as 1 : 



1 Tom McKendree, The Revolution in Military Affairs — Issues, Trends, and Questions for 
the Future, paper presented at 64th MORS Conference, Fort Leavenworth, Kansas, June 
1996 

The views expressed are those of the authors and do not reflect the official policy or position of the 
United States Military Academy, the Department of the Army, the Department of Defense or the United 
States Government. 
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“a military technical revolution combining [technical advances in] 
surveillance, C3I [command, control, communications, and intelligence] 
and precision munitions [with new] operational concepts, including 
information warfare, continuous and rapid joint operations (faster than 
the adversary), and holding the entire theater at risk (i.e., no sanctuary for 
the enemy, even deep in his own battlespace). ” 



The existence of a cyber threat is now universally accepted. Clearly the 
conditions exist for a new pattern in war fighting and military forces must 
leverage the new technologies or become a victim of their use. Potential 
actors include hackers, hactivists, industrial spies, organized crime groups, 
terrorists and national governments. The most serious threat comes from 
nation states. The PLA Daily reported in January 2003 2 that the Chinese 
government was taking “new steps in the Air Force Engineering University 
to train high-quality military talents targeting on the academic leading edge. 
“ Additionally, development of a Chinese “Cyber Corps” has been reported 
as early as 2001. Other countries have responded to this threat: Taiwan 
established an Information Warfare force, in 2001, to counter potential 
Chinese cyber-attacks. 3 The force will eventually be about battalion sized 
and be independent of any military service. 4 The South Korean government 
is planning on establishing specialist units for cyber warfare. 5 The Japanese 
Defense Agency is also rumored to be establishing a cyber-warfare 
organization. 

The need for a growing and evolving knowledge base in information 
security as part of the transition to technological warfare should be clear, as 
well as the need to continue to engage in understanding and developing new 
technologies. To affect the leveraging of these emerging technologies, 
members of the military must understand the technologies and be directly 
involved in the research and development process. 



Ren Peilin and Meng Feng 

http://english.pladaily.com.cn/english/pladaily/2004/01/06/20040106001028_ChinaMilitar 
yNews.html, January 6, PLA Daily 

3 Jane’s Defence, Jane’s Sentinel Security Assessment, Armed Forces - Taiwan, 9 April 
2002 . 

4 Jane’s Defence, Jane’s Sentinel Security Assessment, China and Northeast Asia, 8 March 
2001 . 

5 Jane’s Defence, Jane’s Sentinel Security Assessment, China and Northeast Asia, 9 April 
2002 . 
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2. EXISTING DEPARTMENT OF DEFENSE 
SUPPORTED PHD PROGRAMS 

The United States Military has long recognized the necessity to have 
service members educated and involved in the various technologies being 
employed. Currently the services have thousands of soldiers enrolled in 
advanced degree programs for the puipose of bringing technology back to 
the individual service. The programs attended by the soldiers have no 
definitive restriction on where the advanced degree it attained. Currently, 
Department of Defense personnel attend programs from United States public 
and private colleges and universities to programs in foreign countries. The 
diversity, both in focus and location of the programs attended by soldiers is 
critically important to the continued growth of not only academically 
qualified but also culturally diverse educated soldiers. A brief history of the 
quest for educated soldiers in the United States is 6 : 

• 1802 - President Thomas Jefferson signed legislation authorizing 
the creation of the United States military Academy, the first 
engineering school in the United States 

• 19 th century - Most large engineering projects completed in the 
United States benefited directly fro the involvement of West point 
graduates. 

• 1925 - The Army sent Jimmy Doolittle to the Massachusetts 
Institute of Technology to earn a doctorate in aeronautical 
engineering. 

• WWII - Numerous scientists in uniform served the nation and the 
Army. 

• 1947 - MAJ GEN Henry S Aurand, director of research and 
development, general staff at the war department, fried to create a 
corps of scientist-officers. 

• 1984 - Lt. Gen. Maxwell Thurman, Army deputy chief of staff for 
Personnel, directed the establishment of the Army’s Technology 
Enhancement Program (TEP); sending officers to masters and 
doctoral programs. 

• 1985 - Brig Gen. Hines, deputy commanding General of the Army 
Personnel Command, created a new officer branch to manage 
officers in the TEP - the Science and Technology Coips. 

• 1990 - Gen William Tuttle, commanding General of the Army 
Material Command, offered 140 positions for a Uniformed Army 
Scientist program. 



6 



Barry Shoop and Kenneth Alford, Army Transformation: Uniformed Army Scientists and 
Engineers Dec 2002 Issue Cross talk , the Journal of defense software engineering 
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• 2002 - Gen Eric Shinseki, Army Chief of Staff, approved in 
principle the establishment of a formal Uniformed Army Scientist 
program. 

• 2004 - First officers selected for the Uniformed Army Scientist 
program. 

In 1996, a report issued by the Army Science Board stated 7 

“... the Army’s reliance on modem weapon systems and technology has 
been growing, its cadre of technology- literate line officers and science, 
math, and engineering (SM&E)-educated officers has been reduced. “ Six 
years later in 2002, the formal Uniformed Army Scientist program was 
defined to address this shortfall. 

Focusing more specifically on information assurance, the United States 
Department of Defense has established an Information Assurance 
Scholarship Program. This program consists of three Department of 
Defense Centers of Academic Excellence in Information Assurance that 
sponsors graduate programs in information assurance. These three 
institutions are the Information Resources Management College (IRMC) of 
the National Defense University (NDU), the Naval Postgraduate School 
(NPS), and the Air Force Institute of Technology (AFIT). Partner schools 
include: George Mason University, James Madison University, Mississippi 
State University, Syracuse University, University of Dallas, University of 
Maryland Baltimore County, University of Maryland University College, 
University of North Carolina Charlotte, and the University of Tulsa. 



3. MILITARY NEEDS 

The needs of the Department of Defense differ in some important ways 
from other market sectors. The non-Department of Defense markets 
receiving students graduating with advanced degrees tend to pick the most 
qualified from the set of graduates. If a student does not complete the 
program nor does anything to set him or her apart from the other graduates, 
the only loss is to the student. In Department of Defense programs, officers 
typically will return to the service regardless of their performance in the 
degree program. Additionally, in the past, the pursuit of advanced degrees 
has not been seen as a promotion enhancing activity. This greatly reduced 



7 U.S. Army. "The Science and Engineering Requirements for Military Officers and Civilian 
Personnel in the High Tech Army of Today and Tomorrow.” Army Science Board Study, 
Feb. 1996 
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the set of qualified officers seeking to enroll in masters or doctoral 
programs. 

3.1 Unique Need for Rapid Return to the Force 

The framework for programs designed to support the Department of 
Defense need to focus on a seemingly competing set of goals; the need to 
produce highly educated officers, s ki lled in information assurance and the 
need to have those highly educated officers out of degree programs as 
rapidly as possible to ensure maximum productivity while in the service. A 
normal career in the United States military is 20 years. Currently officers 
are not identified for a doctoral degree program until he or she has been in 
the service for ten or twelve years. Even at that point several must still 
complete a masters program. This places the service and the soldier in 
difficult situation if there are any delays in completing the academic 
program. 

3.2 Skill Sets 

Another area that differs from other markets is the focus on a more hands 
on experience in the designated domain. As indicated previously, the 
longevity of many officers after completing a doctoral program is somewhat 
limited. The ability for an officer to learn the necessary skills in a specific 
domain is cmcial to the ability of the officer to contribute. 

The skill sets attained while in pursuit of a doctoral degree are most 
beneficial when they are tied to a specific problem that the officer will tend 
to when leaving the school environment. This is difficult to implement in 
practice given the widely varying interests and foci of sponsoring faculty at 
the different degree granting institutions and the classification level of some 
research. 

3.3 Advantages To A Multi-University / Multinational 
Program 

The mission of the armed forces for the United States is entirely outward 
focused. In fact, the United States constitution has specific clauses 
prohibiting the use of active duty members of the armed services from 
operating (other than training) in the United States. This presents the 
Department of Defense with a unique goal of producing culturally diverse 
officers capable of interfacing with other nationalities. One might argue that 
a service member with a doctoral degree would no longer be considered in 
the collection of officers with an outward focus, however at the most basic 
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level, every soldier regardless of specialty must be able to function in the 
basic mission. A program designed to place the officer in programs in 
countries other than the United States is the most direct way of achieving 
this diversity and understanding while at the same time moving toward our 
educational goal. 

A second advantage to service members completing all or part of their 
degree in an institution outside the United States is the different academic 
foci. As more collaboration is conducted amongst geographically close 
schools, the research content and methodology of the institutions naturally 
begins to homogenize. Much like the cultural diversity goal of the 
Department of Defense, a diverse approach to formulating and solving 
problems should be a heavily weighted consideration. 

3.4 Disadvantages To A Multi-University / Multinational 
Program 

The primary disadvantage to conducting a multi-institution program of 
study is the coordination of research goals and practices. As important as it 
is for the Department of Defense to have diverse officers, the integration of 
differing processes, which can in some cases be fundamental in nature, make 
collaboration difficult, if not impossible. Additionally we must consider the 
goal of conducting directly relevant research and the timely completion of 
the doctoral research. 

The nature of Depar tment of Defense sponsored research adds a further 
layer of complexity to research area development where security 
classifications are a problem. This however can be mitigated and does not 
present an insurmountable hurdle. 

The third area of concern is the time is takes to complete the program. 
Like the research process, inserting disruption in the dissertation process has 
the potential of disrupting the successful completion of the research. An 
officer typically must complete a masters program in two years and a Ph.D. 
in three years. If not complete in the three year window, the officer may 
continue the dissertation for an additional two years, but must do so in 
addition to normal military duty. Completing a Ph.D. under the umbrella of 
a two year extension is very difficult and the challenge is compounded as 
travel to the institution (New York to Sydney for example) adds complexity. 



4. CONCLUSION 

The goals of a Military PhD program must be formulated with the focus 
of advancing the ability for the service to fight and win wars. Today, the 
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mi litaries of the world are on the verge of a revolution in waging war. The 
advancement of technology will impact the way we fight on many fronts. 
As an example, depending on the sophistication of the enemy, significant 
dismption, aimed at an enemy’s center of gravity, can be attained through 
cyber attacks. The ability of a force to capitalize on technological advances 
before an enemy will be a defining factor in victory. In the late 1800’s, Sir 
William Francis Butler, withstanding the specific technology, recognized the 
necessity of education: 

“The nation that will insist on drawing a broad line of demarcation 
between its fighting man and the thinking man is liable to have its 
fighting done by fools and its thinking done by cowards.” 

The Department of Defense goals of diversity, timely completion, and 
rapidly transferable experience need to be balanced with establishing a 
productive framework within which a successful doctoral program can be 
completed. 
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Abstract: A doctoral program in computer science with a specialization in information 

security is described. The focus of the program is constructive security. Key 
elements of the program are the strong computer science core upon which it 
builds, coursework on the theory and principles of information assurance, and 
a unifying research project. The doctoral candidate is a member of the project 
team, whose research contributes to the goals of the project and to 
fundamental advancements in high assurance security. 
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1. INTRODUCTION 

As computing platforms become smaller, increasingly pervasive, and 
highly networked, the rampant exploitation of system vulnerabilities 
represents a threat to our ability to safely use information technology. Those 
who choose to wreak havoc on our systems do so with impunity. Fear that 
flawed systems may invite problems ranging from the annoyances of spam, 
identity theft, and loss of productivity, to catastrophic damage to critical 
information is turning computing from an enabling to a disabling 
technology. We are faced with the prospect that Gresham’ s Law will once 
again hold: the bad will drive out the good. 

To address these problems in a military context, the Center for 
Information Systems Security Studies and Research (CISR) at the Naval 
Postgraduate School (NPS) has developed a program in Information 
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Assurance and Security education that addresses a broad range of 
information security issues through education and research. An important 
element of that program is the nurture of doctoral students. 

1.1 Computer Science Ph.D. Program Overview 

To conduct doctoral research in information security at NPS, one must 
look to the Computer Science Department. NPS started its Computer Science 
program in the mid 1970s and has offered Ph.D. degrees, i.e. research 
doctorates, for over two decades. The majority of students at the Naval 
Postgraduate School are engaged in a terminal Master’s Degree program, 
while a smaller number are involved in the doctoral program. The Ph.D. 
program meets several objectives by providing educators to military 
universities, research-level personnel to oversee a wide range of technical 
projects in the military and government, and researchers in government 
laboratories. 

The duration of the Computer Science Ph.D. program is three years for 
full time students. This may seem short relative to the four to five years 
usually required for doctoral students at other U.S. institutions, however 
NPS students are atypical with respect to the benefits afforded them. First, 
their tuition is paid for in its entirety by a sponsoring entity such as one of 
the military services or the U.S. Government. Second, each student 
continues to receive a pre-student salary from the sponsoring organization. 
Thus, the students have the freedom to pursue their studies without the 
distraction caused by attempting to offset their educational costs through 
external employment. Their work is also accelerated because NPS is on a 
year-round calendar with four full quarters of teaching and research per year. 

In general, applicants to the Ph.D. program in Computer Science at NPS 
must have a Master’s Degree in Computer Science or closely related field. 
Admission to NPS requires the submission of certified transcripts of all 
courses taken at the university level, both undergraduate and graduate. 
Graduate Record Examination scores are required for applicants not 
currently at NPS. It is expected that all grades and scores will be above 
average. Supporting material, such as Masters thesis, research reports, or 
published papers, that demonstrates the candidate’s ability to conduct 
research is also encouraged. International students and non-native English 
speakers are required to score well on the TOEFL examination as a 
requirement for admission to the NPS Ph.D. program. 

A Master’s degree in Computer Science is an expected prerequisite. In 
some fields, the Master’s degree is considered a “consolation prize” for 
students failing to pass certain examinations for the doctoral degree. This 
means that these programs often admit students with the intent of taking 
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them directly to the doctorate without stopping for a Master’s degree. In 
contrast, a Master’s degree in Computer Science is deemed a valuable 
terminal degree and is a generally expected milestone. 

The funding model for Ph.D. programs at NPS is quite different from that 
of most other U.S. universities. Military and government civilian students 
are sponsored by a military service or agency. Thus, all of tuition and salary 
(at the pre-student income level) is paid for by external sources and does not 
have to be sought by the faculty Ph.D. supervisor. Some doctoral students 
are existing employees who have been involved in ongoing research 
projects. In such cases, the dissertation advisor is obliged to seek continued 
research support for the dissertation research through scholarships or 
research grants from a variety of funding agencies such as the National 
Science Foundation, the Office of Naval Research, the Defense Advanced 
Projects Research Agency, etc. 

Support is also possible through industry as several of our ongoing 
research projects in cyber security involve industry partners. Usually these 
partnerships revolve around the use of specialized equipment or software, 
but they occasionally include financial support. We discourage doctoral 
students from engaging in proprietary or classified research, since the results 
would have restricted distribution and therefore not be considered a 
contribution to the overall body of knowledge in Computer Science, a 
requirement for a successful dissertation. 

Each doctoral candidate is required to demonstrate knowledge of core 
computer science by passing a written qualifying examination. In addition, 
students must meet requirements in a minor subject and must pass an oral 
qualifying examination, the latter before commencing dissertation research. 
Upon completion of the dissertation, the candidate must defend the work in 
an oral exa mi nation. 



1.2 Information Assurance and Security Specialization 



Over the past decade, the thirteen quarter-long information security 
courses listed in Table 1 have been developed and are offered by the 
Computer Science Department. Many prerequisites are cumulative, i.e. 
Operating Systems requires Discrete Mathematics, Data Structures, 
Computer Architecture, and an appreciation of programming fundamentals. 



Table 1. Information Assurance and Security Courses with their Prerequisites 
Course Course Title Prerequisites — 

CS3600 Introduction to Information Assurance Computer Architecture 

Analysis of DoD Critical 

J CS3600 

Infrastructure Protection 



Students 
MS PhD. 

✓ / 

/ 



CS3640 



X 
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Course 


Course Title 


Prerequisites 


Students 


MS 


PhD. 


CS3670 


Secure Management of Systems 


CS3600 


✓ 


X 


CS3675 


Network Vulnerability Assessment 


CS3600 


/ 


X 


CS3690 


Network Security 


CS3600, Networking 


✓ 


X 


CS4600 


Secure Systems 


CS3600, Networking, 
Operating Systems 


/ 


✓ 


CS4603 


Database Security 


CS3600, Databases, 
Operating Systems 


✓ 


X 


CS4605 


Security Policies, Models and Formal 


Discrete Mathematics, 


/ 


/ 


Methods 


CS3600, Algorithms 






CS4610 


Information Ethics 


none 


✓ 


X 


CS4614 


Advanced Topics in Computer 
Security 


CS3600, CS4600, 
CS4605 


✓ 


✓ 


CS4677 


Computer Forensics 


CS3600, CS3670, 
Computer Architecture 


✓ 


X 


CS4680 


Introduction to Certification and 


CS3600, CS3670, 


✓ 




Accreditation 


CS3690 




CS4685 


System Certification Case Studies 


CS3600, CS3670, 
CS4680 


✓ 


X 



Masters students may enroll in all of the courses listed in Table 1, while 
doctoral students enroll in selected (checked) courses intended to prepare 
them for dissertation research. Candidates in the Information Assurance and 
Security specialization generally meet their minor requirements by enrolling 
in courses in Mathematics or Electrical and Computer Engineering. A more 
concrete binding to the minor is achieved by having the non-Computer 
Science Dissertation Committee member come from one of those 
departments. 

Dissertation research consumes the vast majority of a doctoral 
candidate's time. While prior experience and learning may shorten the 
duration of a candidate’s research program, there is currently no formal 
recognition of those achievements. For example, a candidate with 
significant experience in the use of formal methods for high assurance 
development would have a head start when embarking on a program of 
related research. 

Research for a Ph.D. requires that each student conduct dissertation 
research on an original topic that results in a new contribution to the field of 
computer science and, in this case, information security. The size of the 
dissertation is of less importance than its quality and contribution. (Louis de 
Broglie (1923) provides an example of high quality brevity.) 
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2. UNIFYING HIGH ASSURANCE RESEARCH 

PROJECT 

Doctoral research is generally centered around a unifying research 
project being conducted by a member of the faculty. Currently CISR has 
embarked on the Trusted Computing Exemplar (TCX) Project (Irvine et al. 
2004b), which provides a context for Masters theses and Ph.D. dissertation 
research. A brief motivation for and description of this effort follows. 

2.1 Motivation 

Much of the global critical infrastructure has now been constmcted using 
commodity systems and depends upon “layered defenses” for which there is 
no well-founded protection model (Schell 2001). Through a process of 
constmctive security engineering it is possible to describe security 
architectures for which there is a concrete protection model (Irvine 2003). 
These architectures can combine both commodity elements and components 
at selected junctures that provide high assurance of correct policy 
enforcement as well as evidence that they have not been subverted (Irvine 
2004a). The TCX project is motivated by a recognition that construction of 
high assurance systems has not been a priority in the commercial sector. 
Even during the 1970s and 1980s, only a few score people contributed to the 
construction of high assurance systems and information was insufficiently 
detailed at best (Gasser 1988, Schell et al. 1973). To exacerbate the esoteric 
nature of these systems, those that were successfully developed were 
classified or proprietary. Market-driven academic institutions have not 
invested in course materials that teach the concepts of high assurance secure 
systems development in a coherent manner. Thus, we lack the availability of 
high assurance trusted systems, developers who can create these systems, as 
well as public domain worked examples upon which new projects could be 
modeled. 

2.2 Trusted Computing Exemplar Project 

The Trusted Computing Exemplar Project is intended to provide an 
openly distributed worked example of how high assurance trusted computing 
components can be built. It encompasses four related activities: creation of a 
prototype framework for rapid high assurance system development, 
development of a reference-implementation trusted computing component, 
evaluation of the component for high assurance, and open dissemination of 
results related to the first three activities. Each of these is discussed in 
greater detail below. 




178 



Cynthia E. Irvine and Timothy E. Levin 



2.2.1 Rapid high assurance system development framework 

A prototype high assurance development framework is being created, and 
used to design and develop a reference implementation trusted computing 
component, the TCX Separation Kernel. High assurance methodologies and 
techniques are applied during the entire lifecycle. The TCX project is using 
openly available tools for the development framework; these tools are 
selected on the basis that they do not impose restrictive licensing 
requirements upon the results of the effort. The prototype framework for 
rapid high assurance development is intended to provide a set of 
interoperable tools and define a set of efficient, repeatable procedures for 
constructing trusted computing systems and components. 

2.2.2 Reference-implementation trusted computing component 

We are developing a high assurance, embedded micro-kernel, and trusted 
application, as a reference implementation exemplar for trusted computing. 
The TCX Separation Kernel will enforce process and data-domain 
separation, while providing primitive operating system services sufficient to 
support simple applications. 

2.2.3 High assurance Evaluation 

Under sponsorship from the National Security Agency, we are the lead 
writers of a Separation Kernel Protection Profile. This effort will result in an 
official NSA protection profile, which will be used for the evaluation not 
only of our Exemplar Separation Kernel, but also of a wide range of trusted 
separation kernels. This work is a key first step toward evaluation. 

2.2.4 Open dissemination of results 

To provide materials to other educators who want to learn about and 
teach the techniques of high assurance design, development and engineering, 
we will make all of the results of our activities available. The 
documentation, source code, development framework and other evidence for 
a third- party evaluation will be made openly available as they are produced, 
providing previously unavailable examples of “how-to” for high assurance 
trusted computing. This will include not only the code and evaluation 
documentation, but descriptions of the analysis and decisions that took place 
in our efforts. 
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A wide range of research topics has emerged from the TCX activities. 
Examples include surveys and applications of formal methods; modeling; 
hardware analysis; protocol analysis; development of materials related to 
Common Criteria evaluations; and tools design and implementation. The 
TCX project has already provided thesis areas for two graduated Masters 
students and, currently, the effort provides research topics for six Masters 
students and two doctoral candidates. The breadth and depth of the project 
will continue to accommodate future students. 

An advantage of the overarching project is the involvement of the student 
as part of a larger team tackling a wide range of project-related research and 
development. In choosing a model for a unifying research project, Multics 
(Corbato 1965) was viewed as a highly successful example. Even though the 
student may concentrate his or her thesis or dissertation research on a small, 
highly focused research topic, the exposure to the work of others and the 
appreciation of the challenges associated with high assurance secure 
technology contributes to a broader perspective. Often, the research projects 
benefit from the insights drawn from the operational experiences of the 
students. 



3. CONCLUSION 

A research doctoral program has been described. It is based upon a core 
in computer science and provides both classes and research in computer and 
network security. A theme underlying all coursework and research is that of 
improving cyber security through constmctive security engineering. Through 
a unifying research project doctoral research is given a context. The team 
approach provides a stimulating learning environment. 
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Abstract This paper proposes a formal model of the Bellare-Rogaway type [Bel- 
lare and Rogaway, 1994] that enables one to prove the security of an 
anonymous credential system in a complexity theoretic framework. The 
model abstracts away from how a specific instance of anonymous creden- 
tial system achieves its goals; instead it defines what these goals are. The 
notions of credential unforgeability, non-transferability, pseudonym un- 
linkability and pseudonym owner protection are formally defined and the 
relationships between them are explored. The model is a step towards 
a formal treatment of the level of privacy protection that anonymous 
credential systems can and should achieve, both in terms of pseudonym 
unlinkability and user anonymity. 

Keywords: anonymous credential systems, pseudonym systems, privacy, anonymity, 
unlinkability, provable security 

1. INTRODUCTION 

1.1 Background and motivation 

Anonymous credential or ‘pseudonym’ systems allow users to interact 
with organisations using distinct and unlinkable pseudonyms. In partic- 
ular, a user can obtain a credential (a statement of a designated type 
that attests to one or more of the user’s attributes) from one organi- 
sation and then ‘show’ it to another, such that the two organisations 
cannot link the issuing and showing acts; this renders the user’s trans- 
actions unlinkable. Of course this unlinkability is limited; if only one 
credential is ever issued with a particular set of attributes, then clearly 
all credential showings containing this set of attributes can be linked 
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to each other and to the unique issued credential. Pseudonym systems 
must prevent users from showing credentials that have not been issued 
(i.e. they must guarantee ‘credential unforgeability’), and prevent users 
from pooling their credentials (for example, to collectively obtain a new 
credential that each user individually would not be able to). This latter 
property is usually referred to as ‘credential non-transferability’. 

Security models of pseudonym systems, and proofs (where given), do 
not usually allow reasoning about the resulting degrees of user anonymity 
and pseudonym unlinkability. This paper, following the ideas first set 
out by Bellare and Rogaway in [Bellare and Rogaway, 1994], proposes a 
model that is based on complexity theoretic arguments and which po- 
tentially leads to information theoretic anonymity metrics. It abstracts 
away from the particulars of how specific pseudonym system instances 
achieve their goals; instead it focuses on what these goals are. The model 
captures security properties for both organisations (credential unforge- 
ability and non-transferability), and users, both in terms of ‘traditional’ 
security (pseudonym owner protection) and privacy (pseudonym unlink- 
ability and user anonymity). The model makes a clear distinction be- 
tween the different notions and allows the relationships between them 
to be analysed. 

1.2 Related work 

Pseudonym systems were first introduced by Chaum in the 1980s [Chaum, 
1985]. Since then, numerous pseudonym systems have been proposed, 
each with its own particular set of entities, underlying problems, assump- 
tions and properties. Some examples are given in [Brands, 2000; Ca- 
menisch and Lysyanskaya, 2001; Chaum and Evertse, 1987; Damgard, 
1990]. The most relevant work to this paper is probably the formal treat- 
ment of the anonymous credential system in [Camenisch and Lysyan- 
skaya, 2001]. There, security is defined based on the indistinguishabil- 
ity between the transcripts of protocols that occur in an ‘ideal’ world 
(where a universally trusted party guarantees security), and the ‘real 
world’ (where such a party does not exist). In that model, transac- 
tions between users and organisations correspond to well-defined events, 
and the adversary acts like an event scheduler; he can arbitrarily trigger 
events of his choice. In the model of [Camenisch and Lysyanskaya, 2001], 
however, the relationship between the different security notions that a 
pseudonym system should satisfy is somewhat hidden by the fact that 
the universally trusted party takes care of them. Also, in that model, 
the adversary is not allowed to corrupt players in an adaptive fashion. 
While our model retains the property that the adversary gets to specify 
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the order of events in the system, he can also adaptively corrupt players. 
Further, the model allows a relatively easy analysis of the relationships 
between different notions. This is due to the fact that we abstract away 
from properties that do not lie at the same level of abstraction as that 
at which a pseudonym system operates. 

1.3 What we don’t do 

Our model does not capture ‘traditional’ communications security 
properties, such as entity authentication. This is not an omission; these 
issues are outside the scope of the model (other well-established security 
models can be used to reason about such issues). Of course, if users do 
not authenticate organisations, and if the integrity and confidentiality 
of communications in the system are not guaranteed at the session level, 
then there cannot be any security. However, the way these services are 
provided lies at a different level of abstraction. We therefore assume that 
they are provided by the infrastructure that allows users and organisa- 
tions to communicate. We also assume that, within this infrastructure, 
users remain anonymous to organisations (i.e. we assume an anonymous 
channel). 

The remainder of the paper is organised as follows. The next section 
describes the formal model of pseudonym systems. Section 2.2 estab- 
lishes the notions of pseudonym owner protection, credential unforge- 
ability and credential non-transferability, which together capture the 
notions of soundness for a scheme. Further, section 2.3 provides a brief 
discussion of the notions and explains the relationships between them. 
Section 2.4 establishes the notion of pseudonym unlinkability which is 
discussed in section 2.5. Further, section 2.6 establishes the notion of 
pseudonym indistinguishability and shows it is a necessary condition 
for unlinkability. Finally, section 2.7 addresses the issue of anonymity 
in pseudonym systems, while section 3 concludes the paper and gives 
directions for further research. 

2. SECURITY OF PSEUDONYM SYSTEMS 

In this section we describe our model of a pseudonym system. We 
regard a pseudonym system as being comprised of the players in the 
system and the procedures through which they interact. The players, 
in particular, are divided into users, issuing organisations and verify- 
ing organisations. Since users are known to each organisation under a 
different pseudonym, indeed possibly under multiple pseudonyms, a pro- 
cedure must be in place according to which a user and an organisation 
establish a new pseudonym; we call this the ‘pseudonym establishment 
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protocol'. Procedures must also be in place that allow users to obtain 
credentials (on the pseudonym that was established with the issuer) and 
to show them (on the pseudonym that was established with the verifier). 
We call the former the ‘credential issuing protocol' and the latter the 
‘credential showing protocol'. 

In our model, credential types are in one-to-one correspondence with 
(combinations of) user attributes; in other words, each combination of 
attributes defines a credential type. An organisation, for example, that 
issues demographic credentials containing the fields sex and age group, 
with possible values of {male, female} and {18—, 18-30 , 30-50 , 50 + } re- 
spectively, in our model may actually issue up to 8 different credential 
types (one for each combination of values). 

2.1 The model 

A protocol prot is assumed to be a tuple of interactive Turing ma- 
chines; an execution of prot is said to be successful if and only if all 
machines accept. The set of all non-zero polynomial functions in the nat- 
ural number k is denoted by poly(/c). A real-valued function e : N — + R, 
is said to be negligible in k if and only if 0 < e(k) < l/\q(k)\ for any 
q € poly(fc) and for all sufficiently large k. 

REMARK 1 We are concerned in this paper with situations where two 
functions f and g satisfy f{k) > g(k) + e(k) for any negligible function 
e and for all sufficiently large k. To simplify the discussion we abuse 
our notation slightly and simply say that f is greater than g -f- e(k), 
i.e. we omit explicit references to k, and we also omit the rider ‘for all 
sufficiently large k 

DEFINITION 1 A pseudonym system is a tuple 

( k , init, (7, 1, V, P, T, peprot, ciprot, csprot) 

whose elements are as follows. 

■ k (a natural number) is the system security parameter. 

■ init is the initialisation algorithm; on input k, it outputs the ele- 
ments of the sets U, /, V and descriptions of the sets P, T. Hence, 
U, I, V (and also P and T) are (implicitly) regarded as functions 
of k. 

■ U is the set of users, \U\ € poly (k). 

■ I is the set of credential issuing organisations (‘issuers’ in short), 

\I\ e poly (k). 
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■ V is the set of credential verifying organisations ( ‘verifiers’ in 
short), |V| G poly (k). 

■ P is the set of pseudonyms. 

■ T is the set of credential types. 

■ peprot is the pseudonym establishment protocol: any user/organisation 
pair (u, o) G U x (/ U V) may execute peprot; if the protocol suc- 
ceeds, u and o will have established a pseudonym p G P and we 
write peprot u o p . (The user u is called the owner of p and will 
typically also possess some private output associated with p as nec- 
essary to engage in ciprot and csprot.) 

■ ciprot is the credential issuing protocol: any user/issuer pair 
(u,i) G U X I may execute ciprot with respect to a pseudonym 
p € P associated with u and i (established using peprot) and for 
a particular credential type t G T . If successful, we say that i has 
issued a credential of type t on pseudonym p to u, and we write 

ci P rot i,p,f 

■ csprot is the credential showing protocol: any user/verifier pair 
(u, v) G U x V may execute csprot with respect to a pseudonym 
p € P associated with U and V (established using peprot) and for 
a particular credential type t G T; if the protocol succeeds we say 
that u has shown a credential of type t on pseudonym p to s and 
we write csprot upit . 

Each issuer i G / defines a set T t C. T of credential types that it 
intends to issue in the future 1 . It is required that, for all distinct i, il G /, 

T{ nr*/ = 0 2 . We denote the set of active credential types in the system 

by T* d = It holds that |T*| G poly(fc). 

2.2 The games and soundness 

In order to formalise our notions of security for a pseudonym sys- 
tem, we define a series of games between two Turing machines: a Chal- 
lenger and an Adversary. Each game captures a specific property of the 
pseudonym system. In this section we define Game 1, which captures 
‘pseudonym owner protection’, Game 2, which captures ‘credential un- 
forgeability’, and Game 3, which captures ‘credential non-transferability’. 

In sections 2.4 and 2.6 below we define Game 4 and Game 5, which 
capture ‘unlinkability’ and ‘indistinguishability’ of pseudonyms, respec- 
tively. 
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At the beginning of all games, the Challenger sets up the system by 
running init. At this point, the Challenger controls all users, issuers 
and verifiers of the system. He defines the sets r I\ for each issuer. The 
Adversary, which is assumed to be a probabilistic polynomial time (and 
space) algorithm and is denoted by A, then receives as input the sets U, 
/, V, and Tj, descriptions of the sets P and T, and the system's pub- 
lic information. As explained above, it is assumed that the underlying 
communication infrastructure provides authentication of issuers and ver- 
ifiers to users, that it protects the integrity and confidentiality of their 
communications, and that it binds each protocol execution to exactly 
one session between the involved parties. Thus, A models a passive 
adversary that faithfully transmits messages between parties. 

Each of the games consists of two distinct and successive phases. Dur- 
ing the first phase of each game, A may issue (oracle type) queries to 
the Challenger; during the second phase he may not. During the first 
phase of Game 1, 2 and 3, A may issue the following types of query to 
the Challenger. 

runpeprot(tt, o): A may arbitrarily select a user/organisation pair 
( u , o) £ U x (/ U V) and issue this query. When this happens, the 
Challenger makes u and o execute peprot u op . The Challenger replies 
true if the protocol execution is successful and false otherwise. (If the 
execution is successful, u and o will have established a new pseudonym 
p £ P; A, however, does not learn its value.) 

runciprot(n, i, t): A may arbitrarily select a user/issuer pair (u, i) £ 
U X / and a credential type t € Tj and issue this query. When this 
happens, the Challenger selects a pseudonym p from set of pseudonyms 
that u and i have established 3 and makes u and i execute ciprot, p t . He 
replies true if the protocol execution is successful and false otherwise 
(including the case where u and i have not established any pseudonym). 
Note that A does not learn the value of p. 

runcsprot( , u, v, t)i A may arbitrarily select a user/verifier pair (u, v ) £ 
U X V and a credential type t £ T and issue this query. When this hap- 
pens, the Challenger selects a pseudonym p from the set of pseudonyms 
that u and v have established and makes u and v execute csprot^ p t . He 
replies true if the protocol execution is successful and false otherwise 
(including the case where u and v have not established any pseudonym). 
Note that A does not learn the value of p. 

corruptUser(u): A may arbitrarily select a user u £ U and issue 
this query. When this happens, the Challenger hands all the private 
information of u to A. This includes ti’s pseudonyms, credentials and all 
his past protocol views. From that point on, the control of u is passed 
from the Challenger to A. 
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corruptlssuer(t): A may arbitrarily select an issuer i G I and issue 
this query. When this happens, the Challenger hands all the private 
information of i to A. This includes the set of pseudonyms i has estab- 
lished and all its past protocol views. From that point on, the control 
of i is passed from the Challenger to A- 

corruptVerif ier(u): A may arbitrarily select a verifier v € V and 
issue this query. When this happens, the Challenger hands all the pri- 
vate information of v to A. This includes the set of pseudonyms v has 
established and all its past protocol views. From that point on, the 
control of v is passed from the Challenger to A. 

In all games, a global and monotonically increasing variable r counts 
,4’s queries. We say that the query is issued at the time indicated by 
r. At some point in time, A exits the first phase and enters the second 
phase. The value of r at that point is denoted by r max . In the second 
phase A may no longer issue any queries; what happens is specific to 
each game and is described below. 

To describe the games we require some additional notation. In the 
following, P u<0 C P denotes the set of pseudonyms the user u € U has 
established with the organisation o € (/UC)at time r ma x(via A’s peprot 
def 

queries), i.e. P Ui0 = {p G P | a successful peprot uop occurred at a time 

def 

t < r max }. The set of pseudonyms belonging to u is defined as P u = 
Uo€(/uF) ^u,o an d the set of pseudonyms that o has established is defined 
def 

as P 0 = UueF p u,o- (Since A does not learn the value of pseudonyms 
during their establishment, only u knows P u and only o knows P a .) The 

def 

set of active pseudonyms in the system is defined as P* = IJ uG [/ P u , 
def 

or, equivalently, P* — U 0 e(/uV) p o- Since A is polynomially bounded 
in k , it holds that \P*\ € poly(A;). It is required that, for all distinct 
u, vt € U, P u n P u > — 0 4 . The function / : P* — > U maps pseudonyms to 
their owners, which is well-defined by the assumption that P u Cl P u ' — 0. 

Let U C U , / C 1 and V C V denote the subsets of users, issuers and 
verifiers respectively that A corrupted during the first phase. Further, 
let P u j(x) C P u denote the subset of pseudonyms belonging to user 

u G U on which a credential of type t € T* has been issued prior to 
de f 

time x, i.e. P u ,t(%) — {p £ Pu \ a successful ciprot. p t occurred at time 
t < a:}. 

We now describe the second phase of Games 1, 2 and 3. As mentioned 
above, A may no longer issue queries to the Challenger in this phase. He 
may, however, engage in ciprot pit and csprot p t;i( executions directly 
with organisations (while pretending to be the user f(p)). 
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GAME 1 (pseudonym owner protection ): A selects a pseudonym/verifier/type 
triple ( p,v,t ) G P* X (V — V) x T such that f(p) G (U — U). We say 
that A wins the game iff he can make v accept in a csprot p v t execution 
with probability greater than any negligible function in k. 

GAME 2 (credential unforgeability): A selects a pseudonym/verifier/type 
triple (p, v, t) 6 P* x (V - V) x (T - (J ie / such that P/( p ), ( (r max ) = 0 
and Pu,t( T . max) = 0' We say that A wins the game iff he can make 

V accept in a csprot p v t execution with probability greater than any neg- 
ligible function in k. 

GAME 3 (credential non-transferability ): A selects a pseudonym/verifier/type 
triple (p, v, t) e P* x (V - V) x (T - Ti) such that Pf( p ), t {r m ax) = 0. 

We say that A wins the game iff he can make v accept in a csprotp t 
execution with probability greater than any negligible function in k. 

DEFINITION 2 A pseudonym system is said to offer pseudonym owner 
protection, credential unforgeability or credential non-transferability if 
and only if no adversary A can win Game 1, 2 or 3, respectively. 

2.3 Discussion 

Game 1, ‘pseudonym owner protection', captures security for users; 
nobody — even when colluding with users, issuers and verifiers — should 
be able to successfully show a credential on a pseudonym of which he 
is not the owner (i.e. on a pseudonym which was not established by 
himself). The property is typically achieved by having the pseudonym 
establishment protocol generate some private output for the user. This 
output is then treated as a secret that enables the user to authenticate 
himself as the pseudonym owner during the execution of the credential 
issuing and showing protocols. 

Games 2 and 3 capture security for organisations. In particular, 

Game 2 captures what is usually perceived as ‘credential unforgeabil- 
ity’. If a (dishonest) user can construct a credential by himself (i.e. 
without obtaining it legitimately from an issuing organisation), if, in 
other words, the user can forge the credential, then the system clearly 
does not offer credential unforgeability. Game 2 captures unforgeability 
in this sense. There is, however, a simplistic way for a user to ‘forge’ a 
credential: by ‘borrowing’ it from another user with whom he colludes 
(and who legitimately obtained the credential from an issuing organi- 
sation). This type of ‘forgery’ is not captured by Game 2. In some 
applications credential sharing is not a concern while forgery is. 

Game 3, credential non-transferability, captures the case of creden- 
tial sharing between users. In a system that offers credential non- 
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transferability, no user can successfully show a credential of a type he 
himself was never issued. This holds even in the case he colludes with 
other users that have been issued credentials of that type. 

It is interesting to observe the relationship between the notions of 
unforgeability and non-transferability: the latter, being stronger, implies 
the former. Clearly, if a dishonest user can construct credentials by 
himself, there is no need for him to collude with other users in order 
to forge one. In the model, this is simply reflected by the fact that the 
adversary is more restricted in his choice of the credential type in the 
(second phase of the) second game than he is in the (second phase of the) 
third. A system that offers non-transferability also offers unforgeability. 

This relationship between unforgeability and non-transferability mo- 
tivates the following definition of a sound pseudonym system. 

DEFINITION 3 A pseudonym system is said to be sound if it offers pseudonym 
owner protection and credential non-transferability. 

As a side comment, note that non-transferability of credentials is prob- 
ably the most challenging property for a pseudonym system to achieve. 
How can colluding users be prevented from sharing their credentials? 
Certainly, if two users share all their secrets, then they can act as each 
other in all circumstances. Thus, one will always have to assume that 
users will not share all their secrets, either because they will be prevented 
by some means, e.g. by the use of tamper-resistant hardware, or because 
they will be given a sufficiently strong incentive not to. Examples of 
schemes that follow the latter strategy include the ones in [Lysyanskaya 
et al., 2000], where sharing credentials implies sharing a highly valued 
key (this is called ‘PKI-assured non-transferability’), and [Camenisch 
and Lysyanskaya, 2001], where sharing one credential implies sharing all 
credentials (this is called ‘all-or-nothing non-transferability’). 

2.4 Unlinkability of pseudonyms 

We now define Game 4 in order to capture the first privacy property 
required of pseudonym systems, i.e. the property of pseudonym unlink- 
ability. A second (weaker) privacy property is defined in section 2.6. 

In the first phase of the Game 4, A is allowed to issue queries from 
the following set of query types, which are similar but not identical to 
the first three query types of section 2.2. 

runpeprot(o): A may arbitrarily select an organisation o G (/ U 
V) and issue this query. When this happens, the Challenger selects a 
user u according to a probability distribution T> from U and makes u 
and o execute peprot u op . He replies true if the protocol execution is 
successful and false otherwise. (If the execution is successful, A knows 
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that u and o have established a new pseudonym p £ P but learns neither 
p nor the identity of its owner.) 

runciprot (p,i,t): A may arbitrarily select a pseudonym/issuer pair 
(P.0 

£ P X I and a credential type t £ Tj and issue this query. When this 
happens, the Challenger selects the owner of p and makes him execute 
ciprotj p ( with i. He replies true if the protocol execution is successful 
and false otherwise (including the case where p has no owner). Note 
that A does not leam who the owner ofp is. 

runcsprot(p, V, t): A may arbitrarily select a pseudonym/verifier pair 
(P. 

v) £ P X V and a credential type t £ T and issue this query. When this 
happens, the Challenger selects the owner of p and makes him execute 
csprot up t with v. He replies true if the protocol execution is successful 
and false otherwise (including the case where p has no owner). Note 
that A does not learn who the owner ofp is. 
corruptUser(u): As in section 2.2. 
corrupt I ssuer(i): As in section 2.2. 
corruptVerif ier(u): As in section 2.2. 

We now describe the second phase of the Game 4. We denote the set of 

de f 

pseudonyms that belong to uncorrupted users by P** = P* — U u et) ^ u ' 

GAME 4 (pseudonym unlinkability): A outputs two distinct pseudonyms 
Pl,P2 

£ P** . We say that A wins the game iff f(pi) — /{p?)- 

A may apply a variety of strategies in his effort to correlate pseudonyms. 
We now consider what is probably the most naive strategy and arrive at 
the following simple result. 

LEMMA 1 If the Challenger, during runpeprot(o) queries of an instance 
of Game 4 , selects users uniformly at random (i.e. T> is the uniform 
distribution), and two pseudonyms, p\, P 2 say, are chosen at random 
from P**, then the probability that f{pi) = f(p 2 ) is 1 /| U — U\. 

Proof Suppose f{p\) = u £ (U — U). Then the probability that 
f(p 2 ) = u is 1 /| U — U |, since the pseudonyms are allocated uniformly 
at random to users, and hence also to uncorrupted users. The result 
follows. □ 

Thus it is tempting to define a pseudonym system that offers unlink- 
ability of pseudonyms as a system where A cannot win the Game 4 
with probability greater than l/\U — U\ + e(k) for any negligible func- 
tion e. However, this is only a reasonable definition of unlinkability if 




A Security Model for Anonymous Credential Systems 



193 



T> is the uniform distribution and if no credentials are shown during the 
first phase of the game, i.e. there are no instances of runcsprot. Any 
instance of runcsprot potentially provides the adversary with informa- 
tion about possible links between pseudonyms, and hence potentially 
increases the adversary’s probability of success in linking pseudonyms. 
Thus, the definition of pseudonym unlinkability needs to take this addi- 
tional information into account. 

Assuming a sound pseudonym system, there are two types of deduc- 
tion that can be made. 

■ Suppose a runcsprot invocation, say runcsprot(p, v, t) for some 
p, v and t, issued at time r, returns true. Then A can deduce 
that there exists some p' € U ueu p u,t(r) such that f{p) = f(p'). 

■ Suppose a runcsprot invocation, say runcsprot(p, v, t) for some 
p , v and t, issued at time r, returns false. Then A can deduce 
that f(p) # f(p') for all p' <E U uG l/ p u,t(r ). 

In any instance of Game 4, which in its first phase will involve a 
series of queries, A will be able to make a series of deductions about 
matchings of pseudonyms based on the outcomes ({ true, false}) of 
runcsprot queries (as above). As a result, for each pair of distinct 
pseudonyms pi, P 2 £ P**i A will be able to compute the probability 
Ppi,P 2 that /(pi) — f{pf) based on these observations (assuming that 
A makes optimal use of the information provided). A also takes into 
account the probability distribution T> used by the Challenger to select 
the user during runpeprot queries. 

We now define P to be the maximum of these probabilities, i.e. 

P = 7 max (P PUP2 ). 

P1.P2 £ p 
Pl#P2 

We can now define the notion of pseudonym unlinkability. 

DEFINITION 4 A sound pseudonym system is said to offer pseudonym 
unlinkability iff no A can win Game 4 with probability greater than P + 
e(k) for any negligible function e. 

An example scenario of how the two types of deduction might be 
applied in order to calculate P, is given in the Appendix. 

2.5 Discussion 

In real life, colluding organisations could come up with many more 
effective strategies in order to correlate pseudonyms. Examples include 
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attacks that take into account information such as the time or the ge- 
ographical location of events that occur in the system. These attacks, 
however, are not captured by the model, simply because they lie at a 
different level of abstraction. Protection against, say, timing attacks, 
de-anonymising traffic analysis or social engineering, is required irre- 
spectively of which particular pseudonym system is being used. The 
only adversarial strategies to correlate pseudonyms that are inherent in 
the system, and therefore lie at the same level of abstraction, are the 
following. 

1 If some user is asked for but fails to produce a credential of a 
given type, the colluding organisations know that none of the 
pseudonyms on which a credential of that type was previously is- 
sued belongs to that user. 

2 If some user successfully shows a credential of a given type on one 
of his pseudonyms, the colluding organisations know that at least 
one of the pseudonyms on which a credential of that type was 
previously issued belongs to that user. 

These strategies are captured by the probability bound P. A pseudonym 
system cannot protect against these strategies without breaching one of 
its essential properties: that of credential non-transferability. In other 
words, if a (sound) pseudonym system satisfies Definition 4, this means 
that the probability that pseudonyms can be successfully linked does not 
exceed the given bound (by a non-negligible quantity), provided that no 
‘out-of-scope’ attacks place. 

2.6 Indistinguishability of pseudonyms 

We now establish our second privacy property, namely the notion 
of indistinguishability of pseudonyms and show that it is a necessary 
condition for pseudonym unlinkability. 

Consider the following game between a Challenger and a polynomial 
time (and space) adversary A. First, the Challenger chooses a sound 
pseudonym system and a security parameter k. On input k, he runs 
init and gives the set U of users to A ■ A then chooses two users 
Uo,Ui € U and gives them to the Challenger. The Challenger now flips 
an unbiased random bit b € {0, 1} and makes Ub execute peprot u op with 
some organisation o G (I U V). He then gives o’s private information 
(including the protocol view and the resulting pseudonym p) to A. 

GAME 5 (pseudonym indistinguishability ): A outputs a bit b'e{ o,i}. 

We say that A wins the game iff b 1 = bwith probability Pr > 1/2 + e(k), 
for any negligible function e. 
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DEFINITION 5 A pseudonym system is said to offer indistinguishability 
of pseudonyms iff no adversary A can win the above game. 

THEOREM 1 If a sound pseudonym system offers pseudonym unlinka- 
bility it also offers pseudonym indistinguishability. 

Proof Suppose the converse, i.e. suppose the pseudonym system 
offers pseudonym unlinkability but does not offer pseudonym indistin- 
guishability. Given A i , an adversary that breaks pseudonym indistin- 
guishability, we construct ,A U , an adversary that breaks pseudonym un- 
linkability, as follows. While playing Game 4 (unlinkability) with the 
Challenger, A u plays the role of the Challenger in Game 5 (indistin- 
guishability) with A i - 

Choose a negligible function e. Let p(k) = yj e(k)/2, which, by def- 
inition, is also negligible. In Game 4, A u corrupts all but two users, 
say Uq and Ui, and one organisation, say o, i.e. (U — U) = {uojWt} and 
(I-I)U{V-V) = {o}. Then A n issues runpeprot(o) queries until three 
pseudonyms, say pi,p 2 and p 3 , are established between o and {uq, Mi}. 
A n does not issue any runcsprot queries. 

A u then plays three instances of Game 5 (indistinguishability) with 
A 1 ; in all these games he gives the set of users U = {tio, U\ } to A i . 
In the first he gives the pseudonym p\ to A 1 , in the second p 2 , and in 
the third P3 (together with o’ s private information and corresponding 
peprot views). Denote .A^s output occurring in the three instances of 
Game 5 by 6 i, 62 and respectively. Now, since we have assumed that 
A 1 breaks pseudonym indistinguishability, we suppose that A i wins all 
instances of Game 5 with probability 1/2 + 5(k), where S(k) > p(k) for 
all sufficiently large k. 

A u now selects j, j' € {1,2,3}, j f j\ such that bj = by, where the 
pair (j, j') exists by the pigeonhole principle, and outputs (pj,py). Now, 
since bj = bji and f{pj), f(pj') € {t<o, Ri}, we know that f(pj) = f{py) if 
either (f(pj) = u bj and f (py) = u bj ) or (f(pj) ± u b) and f(py) / u bj ). 
Hence: 

P r(f(Pj) = f(Pj')) = PK/(Pj) = u bj ) 'Pr(/(Pj') = u bj ) 

+ P r(f(pj) # u b .) ■ Pr 7 4 u b} ) 

= (1/2 + S(k)) 2 + (1/2 - <S(A:)) 2 
= 1/2 + 2 6{k) 2 

> 1/2 + 2 p(k) 2 (for all sufficiently large k ) 

= 1/2 + e(k) 

where e was assumed to be negligible. Thus A u breaks unlinkability, 
contradicting our assumption, and the result follows. □ 
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2.7 Anonymity of users 

Consider a sound pseudonym system that offers pseudonym unlink- 
ability. The owner u € (U — U) of pseudonym p (u = /(p)) is hidden 
in the anonymity set U — U because, from ,4’s point of view, any user 
in that set could potentially be the owner of p. The effective size of 
the anonymity set, however, depends on the probability distribution 
T> according to which users are selected during pseudonym establish- 
ment. Using the information-theoretic anonymity metric of [Serjantov 
and Danezis, 2002; Steinbrecher and Koepsell, 2003], this is given by 
— E pe p*«Pr(/(p) = u) log 2 [Pr(/(p) = u)] and is maximised if V is the 
uniform distribution. In this case the effective size of the anonymity set 
for all pseudonyms is log 2 | U — U\. It is worth observing that, in the 
general case, it makes sense to consider the anonymity of the user while 
acting using a particular pseudonym. In other words, it is likely that the 
anonymity a user enjoys will depend on the pseudonym under which he 
is acting. 

The above measure of anonymity only applies to a naive adversary; 
it only takes into account the a priori knowledge (i.e. the distribution 
T>). After observing the system for some time, in the sense of Game 4, 
A may decrease the unlinkability between pseudonyms. This decrease 
in unlinkability yields an a posteriori probability distribution V, that 
A is able to construct using deductions that he can make due to the 
scheme’s soundness. While it is the distribution T>' that defines the 
(effective) size of the anonymity set in which users are hidden (while 
acting under one of their pseudonyms), this does not necessarily mean 
that a reduction in unlinkability implies a reduction in anonymity in the 
theoretical definition of the term. Of course, in practice, any linking of 
pseudonyms is likely to lead to an increased risk of loss of anonymity 
because of ‘out of scope' attacks. As a result, unlinkability is a property 
of great importance in its own right. 

3. FUTURE WORK AND CONCUUDING 
REMARKS 

In this paper we have introduced a complexity theoretic model for 
anonymous credential systems. We have formally defined the notions of 
pseudonym owner protection, credential unforgeability, credential non- 
transferability and pseudonym unlinkability. A key challenge is thus 
to construct scheme(s) that meet the definitions in this model, and/or 
to prove, under appropriate assumptions, the security of existing ones. 
There is, however, room to refine and extend the model itself; determin- 
ing the probability P by which colluding organisations should be bound 
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when trying to correlate pseudonyms, given a specific history of events 
in the system, is clearly of importance. Naive strategies for computing 
P appear to be of exponential complexity. Hence, incorporating efficient 
strategies for computing, approximating or bounding P into the model is 
a desirable refinement. It is envisaged that a refined version of the model 
described above will combine complexity theory and probability theory 
in order to describe the resulting degrees of unlinkability and anonymity 
using recently proposed information theoretic metrics [Serjantov and 
Danezis, 2002; Steinbrecher and Koepsell, 2003]. This should provide 
further insight into the inherent limits of unlinkability and anonymity 
in credential systems. We believe that this will also provide insight as 
to what they have to achieve in order not to be considered the weakest 
link with respect to the overall system of which they form part. An 
extended version of the model could capture additional properties of 
pseudonym systems, for example credentials that can be shown only a 
limited number of times and anonymity revocation. 

Another direction for future research is the analysis of real-world dis- 
tributions T> of pseudonym-to-user mappings. This might lead to the 
description of strategies that users might follow, in a realistic setting, in 
order to maximise the unlinkability of their pseudonyms. Given the sta- 
tistical properties of the context, this could also lead to descriptions of 
how long any given pseudonym can be kept before it should be renewed 
(if the context allows for this). 
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Appendix: An Example 

The following example scenario illustrates how the adversarial strategies are cap- 
tured by the probability bound P. For the sake of simplicity, in the example are only 
one issuer which issues only two types of credential, one verifier and three users. It is 
assumed that, during the first phase of Game 4 (unlinkability), the adversary corrupts 
all parties except for the three users, i.e. 1 = 1 = {)}, V = V = {t>}, U = (tii, 112,113}, 
(7 = 0 and T* = Ti = {(1,(2}. 

Table A.l depicts the queries that A issues in this example scenario. From the 
first runcsprot query, A can deduce that f(p 4) = f{pi) or f(pi) = J{pi) or f(pi) = 
f (P3 ) • From the second runcsprot query, A can deduce that f(pf) f f(pi) and 
/(p 5 ) ^ /(p 2 ) and /(p 5 ) f(p3). From the third runcsprot query, A can deduce 

that /(p 6 ) f /(pi) and f(p 6 ) f /(p 2 ) and /(p 6 ) f f(p 3 ). 

Combining the three runcsprot queries, A can deduce, with certainty, that /(p 4) / 
f(ps) and that f(p4) f(pe)- It follows that P5 and pe must belong to the two 
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Table A.l. Example scenario: runpeprot queries that returned true. 



Time 


Query type 


Org 


Pseudonym 


Type 


Outcome 


1 


runpeprot 


i 


Pi 


n/a 


true 


2 


runpeprot 


i 


P2 


n/a 


true 


3 


runpeprot 


i 


P3 


n/a 


true 


4 


runpeprot 


V 


P4 


n/a 


true 


5 


runpeprot 


V 


PS 


n/a 


true 


6 


runciprot 


i 


Pi 


£l 


true 


7 


runciprot 


i 


Pi 


t2 


true 


8 


runciprot 


i 


P2 


tl 


true 


9 


runciprot 


i 


P2 


*2 


true 


10 


runciprot 


i 


P3 


tl 


true 


11 


runcsprot 


i 


P4 


tl 


true 


12 


runcsprot 


i 


PS 


tl 


false 


13 


runcsprot 


i 


P6 


tl 


false 



users {ui,U 2 ,U 3 } - { / ( 394 ) } - So, the probability P P5 , pa that /(p 6 ) = f(p 6 ) is 1/2. 
This happens to be the maximum over all distinct pseudonym pairs and thus, in the 
example, P = 1/2. In other words, if A, at the end of the game, outputs (pg , pg), 
he has a 50% chance of winning the game. If a (sound) pseudonym system offers 
pseudonym unlinkability, then no A should be able to break this bound by a non- 
negligible quantity. 

Notes 

1. In certain existing pseudonym systems, credential types are identified with some form 
of public verification key. These keys are typically published. 

2. This is easily achieved by having a unique identifier of each i embedded into all its 
types Ti. 

3. We do not specify the probability distribution according to which the Challenger selects 
p from the set of pseudonyms u has established, since this should not affect security. 

4. This requirement is a technicality that we need in order to define the function /. It 
practice it can be met by having peprot select pseudonyms uniformly at random from a large 
enough set P. The pseudonym establishment protocols of some existing schemes are of this 
form. 
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Abstract In Private Information Retrieval (PIR), a user obtains one of N records from a 
server, without the server learning what record was requested. 

Recent research in “practical PIR” has limited the players to the user and 
server and limited the user's work to negotiating a session key (eg. as in SSL) — 
but then added a secure coprocessor to the server and required the secure co- 
processor to encrypt/permute the dataset (and often gone ahead and built real 
systems). 

Practical PIR (PPIR) thus consists of trying to solve a privacy problem for a 
large dataset using the small internal space of the coprocessor. This task is very 
similar to the one undertaken by the older Oblivious RAMs work, and indeed 
the latest PPIR work uses techniques developed for Oblivious RAMs. Previous 
PPIR work had two limitations: the internal space required was still O(NlgN) 
bits, and records could only be read privately, not written. 

In this paper, we present a design and experimental results that overcome 
these limitations. We reduce the internal memory to 0(lg N) by basing the 
pseudorandom permutation on a Luby-Rackoff style block cipher, and by re- 
designing the oblivious shuffle to reduce space requirements and avoid unneces- 
sary work. This redesign yields both a time and a space savings. These changes 
expand the system’s applicability to larger datasets and domains such as private 
file storage. 

These results have been implemented for the IBM 4758 secure coprocessor 
platform, and are available for download. 

Keywords: Private information retrieval and storage, oblivious RAM, permutation network, 

sorting network, Luby-Rackoff cipher 

1. INTRODUCTION 

Private Information Retrieval (PIR) is a privacy-enhancing technique which 
has been receiving considerable research exploration, both theoretical and prac- 
tical. The technique allows a user to retrieve data from a server without the 
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server being able to tell what data the user obtained. It is of interest as a coun- 
terbalance to the increasing ease of collecting and storing information about 
a person’s online activities, especially as these activities become a significant 
part of the person’s life. 

Examples of where PIR can be useful abound, usually where traffic analysis 
of encrypted data can yield useful information. A medical doctor retrieving 
medical records (even if encrypted) from a database may reveal that the owner 
of the record has a disease in which the doctor specializes. A company retriev- 
ing a patent from a patent database may reveal that they are pursuing a similar 
idea. Clients of both databases would benefit from the ability to retrieve their 
data without the database being able to know what they are interested in. 

Two rather separate tracks exist in the PIR research record — one focuses 
on designing cryptographic protocols which achieve PIR by either making use 
of having the dataset on multiple non-communicating servers [3], or by using 
techniques based on intractability assumptions without multiple servers [2, 9]. 

The other track attempts to produce Practical PIR schemes [1, 7, 18] that 
can be integrated into existing infrastructure, by limiting the scheme to the 
server, and only requiring the client to negotiate a secure session to the server, 
as is typical in SSL sessions. This is made possible by using a physically 
protected space at the server — a Secure Coprocessor (SCOP) [17]. 

1.1 Existing Prototype 

Our previous work on Practical PIR (PPIR) [7] produced a PPIR prototype 
running on the IBM 4758 secure coprocessor with Linux [17], and offering an 
LDAP 1 interface to the outside. We will first describe the background items 
related to this prototype. 

Secure Coprocessors. A secure coprocessor is a small general purpose 
computer armored to be secure against physical attack, such that code running 
on it has some assurance of running unmolested and unobserved [22]. It also 
includes mechanisms to prove that some given output came from a genuine 
instance of some given code running in an untampered coprocessor [16]. The 
coprocessor is attached to a host computer. The SCOP is assumed to be trusted 
by clients (by virtue of all the above provisions), but the host is not trusted (not 
even its root user). The strongest adversary against the schemes presented here 
is the superuser on the host. 

IBM 4758 Secure Coprocessor. The 4758 is a commercially avail- 
able device, validated to the highest level of software and physical security 



'Lightweight Directory Access Protocol — the protocol of choice for interfacing to online directories. 
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scrutiny currently offered — FIPS 140-1 level 4 [19]. It has an Intel 486 pro- 
cessor at 99 MHz, 4MB of RAM and 4MB of FLASH memory. It also has 
cryptographic acceleration hardware. It connects to its host via PCI (hence we 
often refer to it as a card). Our host runs Debian Linux, with kernel version 
2.4.2-2 from Redhat 7.1 as needed by the 4758/Linux device driver. 

In production, the 4758 runs the CP/Q++ embedded OS; however, experi- 
mental research devices can run a version of Linux (as does the follow-on prod- 
uct from IBM). Linux has considerable advantages in terms of code portability 
and ease of development — our prototype is written in C++, making extensive 
use of its language features and the Standard Template Library, and it runs fine 
on the 4758 with Linux. 

PIR using Secure Coprocessors. The model which we follow is 
that we have available a physically protected computing space at the server. If 
this space was large enough to hold the whole dataset, the problem would be 
solved, as clients could negotiate a secure session with it, and then retrieve their 
data. Since it is physically protected, no one should be able to observe what 
item the client obtained. Unfortunately practical considerations result in real 
protected environments being quite small, much too small to hold the entire 
dataset. Thus, the problem becomes that we want to provide private access 
to a large dataset while using only a small amount of protected space. This 
is almost isomorphic to the Oblivious RAM problem [6], which we discuss 
further in Section 2. 

Model. In Figure 1 we show the more concrete setup: we have a dataset 
of A named items each of size M. The items may be visible to the host; they 
may also be encrypted (for the SCOP’s private key), though why and how 
they may be encrypted ahead of time is orthogonal to our topic here. A client 
connects to the SCOP (tunneling via the host) and delivers a request for one of 
the items. The SCOP is very limited in memory — it is allowed 0(lg N + M) 
memory, which is the minimum needed to store pointers into the dataset, as 
well as a constant number of actual data items. Any larger storage, like the 
actual dataset or pre-processed versions of it, is provided by the host. Thus the 
SCOP has to make PO requests to the host in order to service a client request. 
To be a correct PIR scheme, it must be the case that the host cannot learn 
anything 2 about client requests from observing the PO from the SCOP. 

Simply encrypting the records does not solve the problem; the server can 
still learn the identity of requested items, and (if the server colludes with a user) 
can learn what any given record decrypts to. It is also insufficient to only hide 



2 We are assuming that cryptography works; strictly speaking, this scheme is not secure in the information- 
theoretic sense, since the host can still see ciphertext. 
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Figure 1. The setup of hardware assisted PIR 



the identity of single retrievals, as then an attacker could learn the popularity 
of individual items, and correspondence between requests, eg. “Aphrodite and 
Boris both retrieved the same data item today”. 

The Initial PIR with secure coprocessors algorithm. In their 
initial proposal of using secure hardware for PIR, Smith and Safford kept the 
dataset unprocessed on the host [18]. Given a request for item i, the SCOP 
reads every item in the dataset, internally keeps item i and returns it to the 
client at the end. The host only observes that the SCOP touched every record, 
so it does not learn anything about i. The clear problem is that every retrieval 
takes 0(A) time. (Careful data structures can permit the work to be divided 
evenly across several devices, but this time bound is still problematic.) 

Latest PIR Algorithm. The structure of the algorithm we use was 
originally developed by Goldreich and Ostrovsky for the Oblivious RAM prob- 
lem [6]. We note first that it relies on having a dataset of numbered items, from 
1 to N. It proceeds in retrieval sessions, where a session S consists of: 

Randomly permuting the contents of records 1 through N. First, the 
SCOP encrypts each record in the dataset. Then, the SCOP (pseudo)randomly 
selects a permutation /rof [l.JV], and relocates the contents of each record r, 
1 < r < N, to record location n{r), changing the encryption along the way. This 
produces the shuffled 3 dataset of encrypted items D n . The relocations must 



3 We use permute and shuffle interchangeably, but shuffle always refers to permuting the whole dataset, as 
opposed to computing n(i) for some i 
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be done so that the host cannot learn which permuted record corresponds to 
which input record, after having observed the pattern of record accesses during 
the permutation. Using the terminology of Goldreich et ah, the permutation 
algorithm must be oblivious: have the same I/O access pattern regardless of 
the input (ie. the permutation) 4 . [6]. 

Servicing k <sc /V retrievals. By now, the permuted dataset D n is available 
on the host, and the SCOP knows n. The SCOP uses this knowledge to hide 
the identities of retrieved records. In order to retrieve record r, the SCOP reads 
in 7t(r) from D n , and the host does not learn what r can be. 

What is left is to hide the relationships between retrieved items, so the host 
(for example) cannot tell how many times a given item was retrieved. The 
approach is to copy records which have been accessed into a working pool Ps 
of maximum size k, which is sc a nned in its entirety for every retrieval. On 
each retrieval for record r, one record from D n is added to Ps '■ either r if it is 
not already there, or a random untouched record if it is. Thus, records in D n 
are accessed at most once. 

The implementer can set a a maximum value of k, to put a maximum value 
on the response time for any given query. However, the shuffling step needs to 
be fast enough to have a new shuffle ready when Ps reaches that maximum k. 

The private shuffle implementation has varied in the literature, and in 
our prototype we had added a new approach: using Benes permutation net- 
works [21]. A Benes network can perform any permutation n of N input items 
by passing them through 0(N\g N) crossbar switches which operate on two 
items, either crossing them or passing them straight. The connections between 
the switches are fixed for a given N, only the cross-bar settings differ for dif- 
ferent n. 

This network is useful for our problem because (1) the SCOP can use cryp- 
tography to perform a cross-bar switch on two items resident on the host with- 
out the host learning which way the switch went, and (2) by doing this for 
all the switches in a Benes network, the SCOP can permute the whole dataset 
without the host learning anything about the permutation, even though he ob- 
serves all the record I/O. More specifically, to execute a switch the SCOP reads 
in the two records involved, internally crosses them or not, and writes them out 
encrypted under a new key so the host cannot tell if it was a cross or not. Since 
the network consists of 2 lg N columns of switches with N/2 switches each, 
and the SCOP can execute the switches column by column, he can use one key 
per column, thus never needing to store more than two keys at a time during 
the operation. 



4 The access pattern, ie. the sequence and values of I/O operations, will not be identical for all n, but must 
look identical to a computationally bound observer. 
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Networks similar to the Benes are capable of performing other tasks obliv- 
iously, again making use of the fact that the SCOP can hide which way a unit 
operation (on two inputs) went, and by virtue of the fixed structure of the net- 
work, the ability to hide the setting of each unit extends to being able to hide 
the setting of the whole network. We later make use of sorting and merging 
networks in this manner. 

1.2 Improvements to the Prototype 

There are two areas where we saw the potential to improve our prototype: 
memory usage inside the SCOP, and the ability to update items privately. 

Memory usage. Our prototype used two techniques which required 
0(N\gN) bits of storage inside the SCOP 3 . One was the storage of a per- 
mutation 7T selected uniformly at random from the set of all N\ permutations. 
The other was the execution of a Benes network on the data items; in particular 
computing the switch settings of the network required O (N lg N) bits 6 . 

These “memory-hungry” techniques were not a problem for the kind of 
datasets we were treating, with N < 2 13 or so, and the memory available in 
the 4758. However even for N = 2 18 , two objects of N lg N bits each would 
need more than 1MB, which begins to strain the 4758’s memory. In any case, 
the memory requirements were, strictly speaking, inconsistent with the desire 
to have a small protected space. 

Updates. Our prototype was really a Private Information Retrieval server, 

and did not have the option for clients to update the contents of data items. This 
ability could be of interest though, in more interactive applications of the PIR 
technique, for example if one wanted to build a private filesystem, which could 
be housed in a remote location but assure a user that nothing about his activities 
on the filesystem could be gleaned by the remote site. 

2. RELATED WORK 

Throughout this paper one notices references to Oblivious RAM 
(ORAM) [6]. This is because that problem has a very similar structure to 
hardware-assisted PIR, and the mechanisms developed there are for the most 
applicable here too. The ORAM problem is for a physically shielded but space- 
limited CPU to execute an (encrypted) program such that untrusted external 
RAM cannot learn anything about the program by observing the memory ac- 



s Note that this is less than the G( NM) storage which would be needed to hold the whole database: the size 
of data items we were working with was at least 1KB. 

6 It is not useful to store the settings on the host, as they are computed in an order dependent on the input, 
so an adversary could learn about n by observing this order 
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cess pattern. The CPU corresponds to the SCOP (acting on behalf of clients), 
and untrusted RAM corresponds to the host. The asymptotically slower so- 
lution presented there (square-root algorithm) is what we base our algorithm 
on. 

The asymptotically superior ORAM solution (polylog algorithm), has a 
0(lg 4 N) per memory access overhead. An actual operation count reveals that it 
has a larger actual overhead that the square -root algorithm for about N < 2 20 . 
Such large dataset sizes are practically infeasible for both algorithms on the 
hardware we currently have, so we have not experimented with the polylog 
algorithm. 

The ORAM work has covered some of the aims we address in this paper, 
namely private reading and writing of memory words using a protected CPU 
with logarithmic in N memory size. 

The new contributions over ORAM in this paper are: 

■ an asymptotically and practically more efficient method of re-shuffling 
the dataset between sessions (Section 3.2), 

■ a practically efficient session-transition scheme (Section 4.2), 

■ permutation using the Luby-Rackoff scheme (which has advantages, for 
example enabling us to compose and invert pseudo-random permuta- 
tions) (Section 3.1), 

■ an actual implementation on commodity secure hardware. 

Ostrovsky and Shoup introduced communication-efficient private informa- 
tion storage, the computationally secure version of which is based on the Obliv- 
ious RAM algorithm [14], 

3. MEMORY USAGE 

In this section we present solutions to the high memory needs of the pre- 
vious prototype. As mentioned before, we had two distinct sources of super- 
logarithmic memory usage, both of which are addressed. 

3.1 Permutation 

We need a permutation on the set of integers {1 N} . It should be storable 

in 0(lg AO space, which rules out the use of a truly random permutation: it re- 
quires O (N lg AObits of storage. It should also be invertible, which is required 
by our re-shuffling algorithm (Section 3.2). Because of the storage restriction, 
we have to settle for a pseudorandom permutation, and the one we chose is the 
Luby-Rackoff-style cipher on lg Mbit blocks, with 7 rounds (LR^) [1 1]. 

An L-R cipher (on 2«-bit blocks) is a Feistel network with independent 
pseudo-random round functions. A Feistel network consists of several iterated 
rounds Ri(L,R) = (R,L® f(R)), where 
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■ L,Re{ 0,1}" are initialized such that LR = x, x being the plaintext, 

■ fi are round functions, f € {0, l}' 1 — > {0, 1}”. Note that they do not have 
to be permutations for the whole network to be a permutation — this is 
part of the point in fact, that non-invertible functions are used to produce 
a permutation. 

■ 0 is the bitwise XOR operation. 

Luby and Rackoff initially proved chosen-plaintext security with 3 rounds, and 
chosen-ciphertext security with 4 rounds, in both cases with only a limited 
number of queries against the cipher oracle. 

Recent results have improved the security bounds for higher-round L-R 
ciphers to state that LR^ is indistinguishable from a truly random permu- 
tation by an unbounded adversary given m chosen-plaintext queries, where 
m <sC 2" (1 ~ e) [15], The potential weakness to chosen plaintext attacks (CPA) 
is significant in our case because the host can mount such an attack by issu- 
ing requests to the SCOP (posing as a client), and observing which items in the 
shuffled dataset the SCOP accesses. In fact the host can harvest up to k chosen- 
plaintext pairs from the permutation Jt, where k is the number of retrievals in 
the session. 

A variation on the basic L-R scheme has been conjectured to give a much 
higher resistance to CPA — unbalanced Feistel schemes which have round func- 
tions f 6 (0, l} r (0, \} 2n ~ r , where r £ n. In particular Patarin conjectures 
that an unbalanced L-R scheme (as described, among others, by Naor and 
Reingold [13, Sect. 6]) on 2 n bits, using round functions f € (0, l} 2 ” -1 — ► (0, 1} 
(ie. boolean functions on 2 n - 1 bits), are secure against CPA given m chosen- 
plaintext queries, where m <sc 2 2 ^ ,_e) [15]. 

For the pseudo-random functions inside the cipher, we use TDES (which is 
hardware accelerated on the 4758) with expansion and compression to give a 
function on the required domain. 

3.2 Shuffling the Dataset 

Once we have established a random or pseudo-random permutation, we 
need to actually permute the records such that the server cannot learn any- 
thing about the permutation. As mentioned before, the Benes network is not 
applicable if we are to use only logarithmic space. The algorithm to set its 
switches for a given permutation has resisted many simplification attempts. 

The solution which we came up with takes advantage of the fact that only a 
small fraction of the dataset is touched during a query session. The untouched 
items do not need to be reshuffled, only the touched ones do. Informally, the 
procedure for reshuffling is as follows. 

Let the current permutation be 7t\. Let T be the touched items at the end 
of a session, and T be the remaining items, untouched. Let the size of T be 




